JOB: LAMP Artisan

Michael Torrie torriem at gmail.com
Mon Feb 24 10:08:32 MST 2014


On 02/24/2014 08:53 AM, Levi Pearson wrote:
> On Mon, Feb 24, 2014 at 2:55 AM, Dan Egli <ddavidegli at gmail.com> wrote:
> 
>> I hope you don't mean that seriously. I've developed many applications
>> using PHP and have yet to have any of my projects exploited. The logs on
>> some of my test projects indicate several people trying to break in (after
>> I invited friends and other programmers to try and break in so I could test
>> the security of the code), but the only times they got in were when I
>> forgot to be careful and took shortcuts I shouldn't have taken in the first
>> place. Once I fixed those shortcuts, the attempts all failed. I'll grant
>> that this was with Pgsql and not MySQL, but I'm not convinced the separate
>> DBMS was entirely responsible (partially, sure, because people did try
>> things known to work through MySQL, but they failed naturally enough on
>> Pgsql). And please don't ask for any details of exactly what was tried or
>> how I got around it. It's actually been quite a few years since I did much
>> of any web coding and I don't recall all the details of what I did.
> 
> This is a reasonable thing to do, and certainly better than nothing,
> but this sort of testing never offers any sort of proof of absence of
> bugs. And the thing about bugs is that different ones show up at
> different usage scales.

This is true regardless of the language and libraries used.  Some
languages try to mitigate the damage from inevitable bugs.  Perhaps
Dan's question is, what is it about PHP that causes it to have such a
horrible reputation for security?  What makes other languages better for
real-world web stuff?  What are the trade-offs?

I personally dislike PHP myself, but I admit it's come a long ways from
the days of global variables.


More information about the PLUG mailing list