Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:124642
Precedence: bulk
MIME-Version: 1.0
References: <USzt7tZZlO1DmAbSTLhD-bqa23FqZn0zk2aah8Ndxgk9c7RY5PefQ8MjbYPUYAzr2_m4Cf-5AI4PuNBTS84rim_FNS6RaT-cWSv714HEvvU=@gpb.moe>
 <1a88918e-e808-d778-45e1-53797660e093@php.net> <CAPrKfG5Cw_nU7g7FR+t4C1-YZ8CDsDO_-sRs=yEsHO5kCTZL+A@mail.gmail.com>
 <95147d9d-d6e8-4396-bf0b-409c33679f90@bastelstu.be> <CAPrKfG4TijmZ_N9512_Fk9MBUNg=E6PjNTy-bCbV8CAj9_wX8A@mail.gmail.com>
 <6c0baa01-68e5-4d74-bc4e-d6830ab5076d@bastelstu.be>
In-Reply-To: <6c0baa01-68e5-4d74-bc4e-d6830ab5076d@bastelstu.be>
Date: Sat, 27 Jul 2024 02:54:12 -0700
Message-ID: <CAPrKfG64q5rxZDsKOdNLgT9kc2Ur_xuF2QLtzqe+SBANY51m1A@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000477684061e379e5c"
From: sarkedev@gmail.com (Peter Stalman)

--000000000000477684061e379e5c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 26, 2024, 04:58 Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:

>
> I just Googled "PHP tutorial" and found https://www.phptutorial.net/ as
> the second search result, which considers itself to be "the modern PHP
> tutorial".
>
> I've clicked at the CSRF section
> (https://www.phptutorial.net/php-tutorial/php-csrf/) and what do I find:
>
>  > $_SESSION['token'] =3D md5(uniqid(mt_rand(), true));
>
> *Exactly* the md5-uniqid construction that is called out as unsafe in
> the RFC and used in a security context.
>
> Further down on the first page I find
> https://www.tutorialspoint.com/php/php_mysql_login.htm, which does not
> even hash the passwords that are stored within the database. At least
> it's using `mysqli_real_escape_string()`.
>
> Then I have the German php-einfach.de, which on
> https://www.php-einfach.de/php-tutorial/die-wichtigsten-php-funktionen/
> ("the most important PHP functions") lists md5() and sha1() as an
> important function, but does not mention hash() at all.
>
> I'm sure I would find quite a few more, but I believe those already
> support the point I was trying to make.
>

I don't think the examples you provided support the argument for
deprecating these functions. If anything, they highlight the real problem:
outdated tutorials being prominently featured in search results.  As you
mentioned, the MySQL login one doesn't even use a hashing function, so
deprecating md5 and sha1 functions would do nothing to fix that!

And how are these the top results? Are you telling me that the PHP
community can't create better websites and SEO than these ancient tutorials=
?

If someone encounters a problem because they can't use the md5() function,
they're likely to Google it and find a simple workaround like "just paste
this code and it'll work again." mentioned above. That would be just like
this deprecation proposal: identifying the wrong solution to the actual
problem.

The real question is, why aren't there better, more up-to-date resources
easily available for someone wanting to learn PHP in 2024? We're the PHP
community, we should be leading the web and SEO. Yet most people looking to
get into webdev today aren't reaching for PHP. I've seen recent videos
where developers are positively surprised by PHP's modern features.  But
can we blame them for being surprised if these are the top tutorials out
there?

Deprecating these functions isn't addressing the core issue. The focus
should be on making it easy for new learners to access up-to-date tutorials=
.

Thanks,
Peter

--000000000000477684061e379e5c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"auto"><div><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Fri, Jul 26, 2024, 04:58 Tim D=C3=BCsterhu=
s &lt;<a href=3D"mailto:tim@bastelstu.be" rel=3D"noreferrer" target=3D"_bla=
nk">tim@bastelstu.be</a>&gt; wrote:</div><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I just Googled &quot;PHP tutorial&quot; and found <a href=3D"https://www.ph=
ptutorial.net/" rel=3D"noreferrer noreferrer noreferrer" target=3D"_blank">=
https://www.phptutorial.net/</a> as <br>
the second search result, which considers itself to be &quot;the modern PHP=
 <br>
tutorial&quot;.<br>
<br>
I&#39;ve clicked at the CSRF section <br>
(<a href=3D"https://www.phptutorial.net/php-tutorial/php-csrf/" rel=3D"nore=
ferrer noreferrer noreferrer" target=3D"_blank">https://www.phptutorial.net=
/php-tutorial/php-csrf/</a>) and what do I find:<br>
<br>
=C2=A0&gt; $_SESSION[&#39;token&#39;] =3D md5(uniqid(mt_rand(), true));<br>
<br>
*Exactly* the md5-uniqid construction that is called out as unsafe in <br>
the RFC and used in a security context.<br>
<br>
Further down on the first page I find <br>
<a href=3D"https://www.tutorialspoint.com/php/php_mysql_login.htm" rel=3D"n=
oreferrer noreferrer noreferrer" target=3D"_blank">https://www.tutorialspoi=
nt.com/php/php_mysql_login.htm</a>, which does not <br>
even hash the passwords that are stored within the database. At least <br>
it&#39;s using `mysqli_real_escape_string()`.<br>
<br>
Then I have the German <a href=3D"http://php-einfach.de" rel=3D"noreferrer =
noreferrer noreferrer" target=3D"_blank">php-einfach.de</a>, which on <br>
<a href=3D"https://www.php-einfach.de/php-tutorial/die-wichtigsten-php-funk=
tionen/" rel=3D"noreferrer noreferrer noreferrer" target=3D"_blank">https:/=
/www.php-einfach.de/php-tutorial/die-wichtigsten-php-funktionen/</a> <br>
(&quot;the most important PHP functions&quot;) lists md5() and sha1() as an=
 <br>
important function, but does not mention hash() at all.<br>
<br>
I&#39;m sure I would find quite a few more, but I believe those already <br=
>
support the point I was trying to make.<br></blockquote></div></div><div di=
r=3D"auto"><br></div><div dir=3D"auto">I don&#39;t think the examples you p=
rovided support the argument for deprecating these functions. If anything, =
they highlight the real problem: outdated tutorials being prominently featu=
red in search results.=C2=A0 As you mentioned, the MySQL login one doesn=
9;t even use a hashing function, so deprecating md5 and sha1 functions woul=
d do nothing to fix that!<br><br>And how are these the top results? Are you=
 telling me that the PHP community can&#39;t create better websites and SEO=
 than these ancient tutorials?<br><br>If someone encounters a problem becau=
se they can&#39;t use the md5() function, they&#39;re likely to Google it a=
nd find a simple workaround like &quot;just paste this code and it&#39;ll w=
ork again.&quot; mentioned above. That would be just like this deprecation =
proposal: identifying the wrong solution to the actual problem.<br><br>The =
real question is, why aren&#39;t there better, more up-to-date resources ea=
sily available for someone wanting to learn PHP in 2024? We&#39;re the PHP =
community, we should be leading the web and SEO. Yet most people looking to=
 get into webdev today aren&#39;t reaching for PHP. I&#39;ve seen recent vi=
deos where developers are positively surprised by PHP&#39;s modern features=
.=C2=A0 But can we blame them for being surprised if these are the top tuto=
rials out there?<br><br>Deprecating these functions isn&#39;t addressing th=
e core issue.=C2=A0The focus should be on making it easy for new learners t=
o access up-to-date tutorials.<br></div><div dir=3D"auto"><br></div><div di=
r=3D"auto">Thanks,</div><div dir=3D"auto">Peter</div><div dir=3D"auto"><br>=
</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div dir=3D"a=
uto"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"=
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
</blockquote></div></div></div>
</div>

--000000000000477684061e379e5c--