JOB: LAMP Artisan

Dan Egli ddavidegli at gmail.com
Fri Feb 28 02:15:40 MST 2014


On Fenruary 26, 2014, Michael Torrie wrote:

>> same misconfiguration can result in dumping Python, Perl, Ruby, etc...



> Actually, this is not really possible with Python, Ruby, or Java, since

> the code generating the page is never accessable to the web server.



Well, I never brought up Java. Java servlets are pre-compiled IIRC, so
that's completely different.



> It's outside the webroot. The only interface to it is the callable

> interface (tha API).



That's how it SHOULD be done, yea. And it's how PHP should be done too. But
I've seen examples here and there of perl and python scripts in the web
root. I've never seen ruby at work at all, so I can't anything good or bad
about it except what I've seen when I glanced at articles about programming
in it, and that has nothing to do with the topic at hand. Point being there
are always people who will go for the shortest, quickest approach. Those
are the people who give ANY language a bad name. I can take the time and
write a perl program that is careful, checks itself, and does it's job
well. Or I can write a perl script in a couple hours that grabs input and
works on it, regardless of if that input is actually correct. The latter
can make perl look like a bad language. Same with python. And the same with
PHP. I've only seen a few php routines that were stored in /var/www/html
(or other webroot). 98% of the PHP work I've seen, and all I've done
(except for quick things that I delete later) exist in their own /var/www/*
directory (or even outside of /var/www). Because they are outside the
webroot, requesting the page does not return it's code, but executes the
page and returns the output.



Let's just summarize this way. Are there bad PHP programs that are setup
with very poor security? Absolutely. Are there good PHP programs that are
written well and are as close to bug free as possible? You better believe
it. Can you make horrible security mistakes in Python, or Perl? Yes you
can! Is PHP worse than any other language? That's a very subjective
question. Some people will knee jerk yes. Some people will consider and say
yes. Some will consider and say maybe. Some will consider and say no. Some
will knee jerk and say no. I, myself, consider and say no. It's no worse
than any other language that's built on top of tons of 3rd party
contribution. If you think the PEAR archive has problems then I guess you
don't consider CPAN any better. I'm sure Python has a similiar repository
too.


--- Dan


On Wed, Feb 26, 2014 at 8:29 PM, Michael Torrie <torriem at gmail.com> wrote:

> On 02/26/2014 02:30 AM, Dan Egli wrote:
> >> Some configurations of PHP and/or Apache make it possible to view the
> >> source of a PHP file from over the web, including the aforementioned
> >> global configuration file.
> >
> > Well, that would be a problem, yes. But that's due to poor configuration
> in
> > the apache config file, not due to any problems in the PHP language. The
> > same misconfiguration can result in dumping Perl, Python, Ruby, etc....
> >
>
> Actually, this is not really possible with Python, Ruby, or Java, since
> the code generating the page is never accessible to the web server.
> It's outside the webroot. The only interface to it is the callable
> interface (the API).
>
> CGI is another story, of course, but normally CGI scripts also live in
> their own directory, outside the webroot.
>
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list