JOB: LAMP Artisan

Steve Meyers steve at
Fri Feb 28 16:13:41 MST 2014

There's some serious misinformation going on here.

On 2/24/14 11:02 AM, Eric Wald wrote:
> In PHP, the easy, obvious way to construct a webpage is to intermingle
> hard-coded bits with unsanitized user input.

I won't argue with that; PHP was originally intended as a web templating 
language.  It's certainly not the common use of PHP these days, though.

> In PHP, the easy, obvious way to interact with a database is to stuff
> user input straight into a string and use that as your query.

Most people using PHP these days use libraries that support prepared 
statements, so I think this outlook may be a bit outdated.

> In PHP, the easy, obvious way to build a website is to make each page
> its own script, including a global configuration file if necessary.

It may be the "easy, obvious way", but it's not the way most sites are 

> Some configurations of PHP and/or Apache make it possible to view the
> source of a PHP file from over the web, including the aforementioned
> global configuration file.

You'd have to seriously screw up your Apache configuration to do that. 
Is it possible? Yes. Is it common? Not even remotely.

> In PHP, passing an array to a function makes a copy by default, making
> it easy to run out of memory, simplifying denial-of-service attacks.

This is false, and has been for well over a decade (since PHP 4.0 was 
released in 2000).  PHP uses copy-on-write if you don't pass by reference.

More information about the PLUG mailing list