Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58426 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 5928 invoked from network); 1 Mar 2012 21:44:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Mar 2012 21:44:08 -0000 Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4905] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B5/33-19316-6ADEF4F4 for ; Thu, 01 Mar 2012 16:44:07 -0500 Received: (qmail 19313 invoked by uid 98); 1 Mar 2012 21:44:07 -0000 Received: from localhost by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.05 ( Clear:RC:1(127.0.0.1):. Processed in 0.037167 secs); 01 Mar 2012 21:44:07 -0000 Received: from localhost (HELO www.l-i-e.com) (127.0.0.1) by localhost with SMTP; 1 Mar 2012 21:44:07 -0000 Received: from webmail (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Thu, 1 Mar 2012 15:44:07 -0600 Message-ID: In-Reply-To: References: <693e15008681dfe7372eaea66214f8a8.squirrel@www.l-i-e.com> <4F4D5D44.5090307@developersdesk.com> Date: Thu, 1 Mar 2012 15:44:07 -0600 To: "internals@lists.php.net" Cc: "internals@lists.php.net" User-Agent: SquirrelMail/1.4.21 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: RE: [PHP-DEV] PHP Philosophy (was RE: [PHP-DEV] Scalar type hinting) From: ceo@l-i-e.com ("Richard Lynch") On Thu, March 1, 2012 2:38 am, John Crenshaw wrote: >> You might consider those scripts poor programming practice. We all >> do. >> But PHP is the language of the unwashed masses, and that was, and >> is, >> part of why it is hugely popular. Somebody who barely understands >> programming can pound away at the keyboard and write a bloody useful >> web application, breaking 10,000 Computer Science rules along the >> way. > > And in 20 minutes I can hack into that application 20 different ways. > This isn't really PHP's fault...or is it? By deliberately catering to > the lowest possible denominator is it possible that PHP itself > contributes to the proliferation of wildly insecure web sites? I do > understand the "unwashed masses" argument, and yet, the security geek > in me sometimes questions how "good" this is. > > (Before someone flames me, I'm not really saying that we should scrap > any foundational principles or tell basic users to go hang themselves. > This is mostly philosophical musing.) We make concerted efforts to educate scripters, by posting the same thing in all our blogs. Even if all they understand is "Don't do this!" it's good enough for most of them. Other times the decision was made to just deprecate a "feature" and provide a migration path, if suitable, but spread out over major releases: PHP x.0: Feature is bad, but there PHP x+1.0 Feature is E_DEPRECATED (or documented as such before E_DEP) [This is the bit where a LOT of scripted edumacation has to happen.) PHP x+2.0 Feature is just gone. People who completely ignore docs or don't upgrade remain vulnerable, but there's not much you can do without making life miserable for a bazillion developers. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE