JOB: LAMP Artisan

keith smith klsmith2020 at
Wed Feb 26 12:34:04 MST 2014

What you describe is not a language issue it is a programmer issue.  

Keith Smith

On Monday, February 24, 2014 11:02 AM, Eric Wald <eswald at> wrote:
On Mon, Feb 24, Michael Torrie wrote:
> Dan's question is, what is it about PHP that causes it to have such a
> horrible reputation for security?  What makes other languages better for
> real-world web stuff?  What are the trade-offs?

In PHP, the easy, obvious way to construct a webpage is to intermingle
hard-coded bits with unsanitized user input.

In PHP, the easy, obvious way to interact with a database is to stuff
user input straight into a string and use that as your query.

In PHP, the easy, obvious way to build a website is to make each page
its own script, including a global configuration file if necessary.

Some configurations of PHP and/or Apache make it possible to view the
source of a PHP file from over the web, including the aforementioned
global configuration file.

In PHP, passing an array to a function makes a copy by default, making
it easy to run out of memory, simplifying denial-of-service attacks.

Other languages make it harder to build web stuff in the first place,
making the easy, obvious way to use a framework.  Most such frameworks
are more inclined to make security a high priority.  Django's template
system, for example, escapes strings by default.  SQLAlchemy makes it
easier to use parameterized queries than to build the query string.

Then again, PHP doesn't have buffer overflow and null pointer problems,
so it might not be the absolute worst language for the web.

- Eric

PLUG:, #utah on
Don't fear the penguin.

More information about the PLUG mailing list