Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58468 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32493 invoked from network); 2 Mar 2012 11:13:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Mar 2012 11:13:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=ronabop@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ronabop@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender) X-PHP-List-Original-Sender: ronabop@gmail.com X-Host-Fingerprint: 74.125.82.54 mail-ww0-f54.google.com Received: from [74.125.82.54] ([74.125.82.54:35218] helo=mail-ww0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CF/5A-11220-86BA05F4 for ; Fri, 02 Mar 2012 06:13:44 -0500 Received: by wgbdq13 with SMTP id dq13so1324231wgb.11 for ; Fri, 02 Mar 2012 03:13:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=EN2z+aBhydLy8NvEzj1YsC755FRPhuuX1gv7B9rxIMk=; b=Q0iCToECiz07EV2cRXKFptzkjK+ieOnzeqLb4frzDztVQHwDsaPDNXNU+X6SO/BIFb 2aAAdb4FiYi2OPeFVidwaZuAx55NZCbAJMJ4FymVrGPn4scNXIHCrLzE2YnVKhSgElz9 cRSyd0w+nV+FwktCAHz8YD7Eod3XwH/r/PilTPtgXtg2t+ekasufBZPFQLnZF8xBwl0X AS5gjuMI10xidBizDs7PvqTxda+InoAiOWMJ5XTB54UV5KQvD0t/i8D6jMtg3Zvckmhw xZBdsTm5u6wLPhCT1l6ky/iCk32B6UyoY5yQvnpsrH4g9w/K0YGbEB1ohfWdxjC0qmR/ DQKw== MIME-Version: 1.0 Received: by 10.180.24.4 with SMTP id q4mr3385107wif.7.1330686821191; Fri, 02 Mar 2012 03:13:41 -0800 (PST) Received: by 10.216.46.10 with HTTP; Fri, 2 Mar 2012 03:13:41 -0800 (PST) In-Reply-To: References: <693e15008681dfe7372eaea66214f8a8.squirrel@www.l-i-e.com> <4F4D5D44.5090307@developersdesk.com> Date: Fri, 2 Mar 2012 03:13:41 -0800 Message-ID: To: John Crenshaw Cc: Richard Lynch , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] PHP Philosophy (was RE: [PHP-DEV] Scalar type hinting) From: ronabop@gmail.com (Ronald Chmara) On Thu, Mar 1, 2012 at 4:18 PM, John Crenshaw wr= ote: > No, you've misunderstood. The average new not-really-a-developer has no c= oncept of security. Every SQL query they write is vulnerable to injection. = Every echo exposes their site to XSS vulnerabilities. Every form is vulnera= ble to CSRF. If they did anything with files in their script I may be able = to read arbitrary files to their server and/or upload and execute arbitrary= scripts. If they used eval() or system() I can probably execute arbitrary = shell code and take control of the entire site. If their server is badly co= nfigured I could capture the entire machine. > PHP is as vulnerable as you make it, > This isn't a question of keeping software updated and not using deprecate= d functions, this is a question of discipline that is completely missing am= ong the "unwashed masses" as you call them. The intuitive way to handle man= y of the most common PHP tasks is also the completely insecure way. Philoso= phically, I wonder if we do a great disservice by encouraging these people = to tinker with code at all. We do so knowing (or at least we should know) t= hat anything they create will inevitably be hacked. We fuel the widespread = security problems that currently plague the web. > > John Crenshaw > Priacta, Inc.