[ale] PHP Security (wuz: OT: Why Big Sites Run Drupal)

mike at trausch.us mike at trausch.us
Sun May 6 20:46:08 EDT 2012


On 05/06/2012 10:23 AM, Leam Hall wrote:
> That would be said of operating systems and other languages as well, so 
> pointing out that PHP is like everything else leaves me confused.
> 
> There is a separation between the tool and the usages of the tool. PHP 
> has been plagued with a long list of malformed usages. Is it worse that 
> any other web tool? Doubtful, as there are few if any real contenders 
> for the web space. Java is one, and if you support Java servers you're 
> updating 4-6 times a year. None of the other major scripting languages 
> are without flaws either so it seems to be a matter of "pick your poison".
> 
> The main issue is maintaining that separation between tool and uses of 
> the tool. Then you will likely find that PHP is not really any worse, or 
> better, than the other tools.

Comparing its track history to that of, say, Python or C# (both with
their own standard libraries, though C#'s "standard library" is the .NET
BCL) it is a stark difference.

I'm certainly not saying that I carry knowledge of any bug-free or
vulnerability-free software.  But when you have choices that perform
better in a given (and very important) metric such as security, I am
certainly (currently) disinclined to even consider PHP.

Taking another look it seems that PHP's vulnerability report counts are
lower, which tends to mean that it is starting to get better.  But then
you have the angle of application security as it goes with the design
(and accessibility) of the language, which is perhaps the language's
greatest and least fixable vulnerability.

I like the design where each script can ignore other scripts in terms of
application context, because the execution lifecycle is at the HTTP
request level.  But many people (esp. "nonprogrammers") tend to really
seriously abuse the "type slutiness" of the language.  The last time I
worked on a PHP application (which has over the years moved from PHP 4.2
to PHP 5.3), I fixed several such (in this case, minor) bugs.

However, I hate the design decision that permitted complete
intermingling of PHP code with output text.  I have yet to see it
seriously improve the design of applications, though I often see it
operate to the detriment of application design and maintainability.  It
is possible to create some seriously awful things in PHP that would be
almost impossible to create in any other language.

I perhaps shouldn't complain.  I have made a decent amount of money over
the years supporting and incrementally improving some seriously horrible
applications which are written in PHP.  (Most of them by different
people who will readily admit that they are _not_ programmers.)  The
largest of them still has a long way to go.

These days, I prefer using a GP language for Web development.  Call me
nuts, I guess, but I much prefer writing and working on applications in
Python, Go and even C.  Though I haven't really had the chance to use Go
for anything serious or major at this point, and it isn't something I am
familiar enough with to trust.  Yet.  :-)

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120506/5334d0fe/attachment-0001.bin 


More information about the Ale mailing list