JOB: LAMP Artisan
steve at plug.org
Fri Feb 28 16:13:41 MST 2014
There's some serious misinformation going on here.
On 2/24/14 11:02 AM, Eric Wald wrote:
> In PHP, the easy, obvious way to construct a webpage is to intermingle
> hard-coded bits with unsanitized user input.
I won't argue with that; PHP was originally intended as a web templating
language. It's certainly not the common use of PHP these days, though.
> In PHP, the easy, obvious way to interact with a database is to stuff
> user input straight into a string and use that as your query.
Most people using PHP these days use libraries that support prepared
statements, so I think this outlook may be a bit outdated.
> In PHP, the easy, obvious way to build a website is to make each page
> its own script, including a global configuration file if necessary.
It may be the "easy, obvious way", but it's not the way most sites are
> Some configurations of PHP and/or Apache make it possible to view the
> source of a PHP file from over the web, including the aforementioned
> global configuration file.
You'd have to seriously screw up your Apache configuration to do that.
Is it possible? Yes. Is it common? Not even remotely.
> In PHP, passing an array to a function makes a copy by default, making
> it easy to run out of memory, simplifying denial-of-service attacks.
This is false, and has been for well over a decade (since PHP 4.0 was
released in 2000). PHP uses copy-on-write if you don't pass by reference.
More information about the PLUG