Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58438 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 33098 invoked from network); 2 Mar 2012 00:18:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Mar 2012 00:18:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=johncrenshaw@priacta.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=johncrenshaw@priacta.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain priacta.com designates 64.95.72.244 as permitted sender) X-PHP-List-Original-Sender: johncrenshaw@priacta.com X-Host-Fingerprint: 64.95.72.244 mxout.myoutlookonline.com Received: from [64.95.72.244] ([64.95.72.244:13564] helo=mxout.myoutlookonline.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 11/24-13741-1C1105F4 for ; Thu, 01 Mar 2012 19:18:09 -0500 Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 089FE553C9F; Thu, 1 Mar 2012 19:18:07 -0500 (EST) X-Virus-Scanned: by SpamTitan at mail.lan Received: from HUB016.mail.lan (unknown [10.110.2.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 7BB84553CA6; Thu, 1 Mar 2012 19:18:06 -0500 (EST) Received: from MAILR001.mail.lan ([10.110.18.27]) by HUB016.mail.lan ([10.110.17.16]) with mapi; Thu, 1 Mar 2012 19:17:49 -0500 To: Richard Lynch , "internals@lists.php.net" CC: "internals@lists.php.net" Date: Thu, 1 Mar 2012 19:18:00 -0500 Thread-Topic: [PHP-DEV] PHP Philosophy (was RE: [PHP-DEV] Scalar type hinting) Thread-Index: Acz39IJSYgbRmVGYQM2qjsDNCaaQCwAAmN4g Message-ID: References: <693e15008681dfe7372eaea66214f8a8.squirrel@www.l-i-e.com> <4F4D5D44.5090307@developersdesk.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: [PHP-DEV] PHP Philosophy (was RE: [PHP-DEV] Scalar type hinting) From: johncrenshaw@priacta.com (John Crenshaw) From: Richard Lynch [mailto:ceo@l-i-e.com]=20 > On Thu, March 1, 2012 2:38 am, John Crenshaw wrote: > >> You might consider those scripts poor programming practice. We all=20 > >> do. > >> But PHP is the language of the unwashed masses, and that was, and is,= =20 > >> part of why it is hugely popular. Somebody who barely understands=20 > >> programming can pound away at the keyboard and write a bloody useful=20 > >> web application, breaking 10,000 Computer Science rules along the=20 > >> way. > > > > And in 20 minutes I can hack into that application 20 different ways. > > This isn't really PHP's fault...or is it? By deliberately catering to=20 > > the lowest possible denominator is it possible that PHP itself=20 > > contributes to the proliferation of wildly insecure web sites? I do=20 > > understand the "unwashed masses" argument, and yet, the security geek=20 > > in me sometimes questions how "good" this is. > > > > (Before someone flames me, I'm not really saying that we should scrap=20 > > any foundational principles or tell basic users to go hang themselves. > > This is mostly philosophical musing.) > > We make concerted efforts to educate scripters, by posting the same thing= in all our blogs. > > Even if all they understand is "Don't do this!" it's good enough for most= of them. > > Other times the decision was made to just deprecate a "feature" and provi= de a migration path, > if suitable, but spread out over major > releases: > PHP x.0: Feature is bad, but there > PHP x+1.0 Feature is E_DEPRECATED (or documented as such before E_DEP) [T= his is the bit > where a LOT of scripted edumacation has to happen.) PHP x+2.0 Feature is = just gone. > > People who completely ignore docs or don't upgrade remain vulnerable, but= there's not much > you can do without making life miserable for a bazillion developers. No, you've misunderstood. The average new not-really-a-developer has no con= cept of security. Every SQL query they write is vulnerable to injection. Ev= ery echo exposes their site to XSS vulnerabilities. Every form is vulnerabl= e to CSRF. If they did anything with files in their script I may be able to= read arbitrary files to their server and/or upload and execute arbitrary s= cripts. If they used eval() or system() I can probably execute arbitrary sh= ell code and take control of the entire site. If their server is badly conf= igured I could capture the entire machine. This isn't a question of keeping software updated and not using deprecated = functions, this is a question of discipline that is completely missing amon= g the "unwashed masses" as you call them. The intuitive way to handle many = of the most common PHP tasks is also the completely insecure way. Philosoph= ically, I wonder if we do a great disservice by encouraging these people to= tinker with code at all. We do so knowing (or at least we should know) tha= t anything they create will inevitably be hacked. We fuel the widespread se= curity problems that currently plague the web. John Crenshaw Priacta, Inc.