Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58444 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51024 invoked from network); 2 Mar 2012 01:22:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Mar 2012 01:22:28 -0000 Authentication-Results: pb1.pair.com smtp.mail=kris.craig@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=kris.craig@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.170 as permitted sender) X-PHP-List-Original-Sender: kris.craig@gmail.com X-Host-Fingerprint: 209.85.212.170 mail-wi0-f170.google.com Received: from [209.85.212.170] ([209.85.212.170:42864] helo=mail-wi0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 01/E7-13741-4D0205F4 for ; Thu, 01 Mar 2012 20:22:28 -0500 Received: by wibhj13 with SMTP id hj13so410737wib.29 for ; Thu, 01 Mar 2012 17:22:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BSZNq5/SQ2AjYL5tNd6NioQkZwTu4owOE9bAljPqESE=; b=jKSwbWt0l39EaDl3lR67yNDw6Q7z731EO7qwTLB4fxhZlgm4PpJC9qeMpc2Mts4dRJ 7sQTiiLfU0cueSnaI15pWZ4xBl1e6utyfjMtmpR8iZGpjqYYqv0wcU2qIqsZNoLzf/B3 IjV5qKe5wUSnLShoFTe/Q/ArxlRqQkD5IdB92iJIkQtQEU8h4e7qQh5LcwLB/tJoxHPO H0ZVUHfvr64FMSNVG5dZun/oSwcFCHxX0rV6vAN6zfxzMDDUDhXWnGfilIrmvwm1qf87 pfAByAK+8lZVuqHuX269X0AYPeOl5I6f8yzWLmeIG8/3hRrpNzgw+KnEeQKip0l5LDP5 xH6Q== MIME-Version: 1.0 Received: by 10.180.24.4 with SMTP id q4mr384607wif.7.1330651345466; Thu, 01 Mar 2012 17:22:25 -0800 (PST) Received: by 10.223.75.146 with HTTP; Thu, 1 Mar 2012 17:22:25 -0800 (PST) In-Reply-To: References: <693e15008681dfe7372eaea66214f8a8.squirrel@www.l-i-e.com> <4F4D5D44.5090307@developersdesk.com> Date: Thu, 1 Mar 2012 17:22:25 -0800 Message-ID: To: John Crenshaw Cc: Richard Lynch , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=f46d043be1c6c4364904ba386815 Subject: Re: [PHP-DEV] PHP Philosophy (was RE: [PHP-DEV] Scalar type hinting) From: kris.craig@gmail.com (Kris Craig) --f46d043be1c6c4364904ba386815 Content-Type: text/plain; charset=ISO-8859-1 I agree with what John said. Limiting the scope to scalars, while having some advantages, probably wouldn't pass the "usefulness" test for most people. --Kris On Thu, Mar 1, 2012 at 4:18 PM, John Crenshaw wrote: > From: Richard Lynch [mailto:ceo@l-i-e.com] > > On Thu, March 1, 2012 2:38 am, John Crenshaw wrote: > > >> You might consider those scripts poor programming practice. We all > > >> do. > > >> But PHP is the language of the unwashed masses, and that was, and is, > > >> part of why it is hugely popular. Somebody who barely understands > > >> programming can pound away at the keyboard and write a bloody useful > > >> web application, breaking 10,000 Computer Science rules along the > > >> way. > > > > > > And in 20 minutes I can hack into that application 20 different ways. > > > This isn't really PHP's fault...or is it? By deliberately catering to > > > the lowest possible denominator is it possible that PHP itself > > > contributes to the proliferation of wildly insecure web sites? I do > > > understand the "unwashed masses" argument, and yet, the security geek > > > in me sometimes questions how "good" this is. > > > > > > (Before someone flames me, I'm not really saying that we should scrap > > > any foundational principles or tell basic users to go hang themselves. > > > This is mostly philosophical musing.) > > > > We make concerted efforts to educate scripters, by posting the same > thing in all our blogs. > > > > Even if all they understand is "Don't do this!" it's good enough for > most of them. > > > > Other times the decision was made to just deprecate a "feature" and > provide a migration path, > > if suitable, but spread out over major > > releases: > > PHP x.0: Feature is bad, but there > > PHP x+1.0 Feature is E_DEPRECATED (or documented as such before E_DEP) > [This is the bit > > where a LOT of scripted edumacation has to happen.) PHP x+2.0 Feature is > just gone. > > > > People who completely ignore docs or don't upgrade remain vulnerable, > but there's not much > > you can do without making life miserable for a bazillion developers. > > No, you've misunderstood. The average new not-really-a-developer has no > concept of security. Every SQL query they write is vulnerable to injection. > Every echo exposes their site to XSS vulnerabilities. Every form is > vulnerable to CSRF. If they did anything with files in their script I may > be able to read arbitrary files to their server and/or upload and execute > arbitrary scripts. If they used eval() or system() I can probably execute > arbitrary shell code and take control of the entire site. If their server > is badly configured I could capture the entire machine. > > This isn't a question of keeping software updated and not using deprecated > functions, this is a question of discipline that is completely missing > among the "unwashed masses" as you call them. The intuitive way to handle > many of the most common PHP tasks is also the completely insecure way. > Philosophically, I wonder if we do a great disservice by encouraging these > people to tinker with code at all. We do so knowing (or at least we should > know) that anything they create will inevitably be hacked. We fuel the > widespread security problems that currently plague the web. > > John Crenshaw > Priacta, Inc. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --f46d043be1c6c4364904ba386815--