[ale] Well, this does nothing for the reputation of Linux

Charles Shapiro hooterpincher at gmail.com
Mon Jul 22 09:12:05 EDT 2013 

My favorite essay on php (
http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/ ).  In
fairness, here's a response (
http://forums.devshed.com/php-development-5/php-is-a-fractal-of-bad-design-hardly-929746.html).
 I have worked in PHP, but it is not a language which appears on my
resume.


-- CHS



On Sun, Jul 21, 2013 at 8:53 PM, JD <jdp at algoloma.com> wrote:

> On 07/21/2013 06:03 PM, Alex Carver wrote:
> > On 7/21/2013 14:05, Jim Kinney wrote:
> >> FACEBOOK IS SECURE?!?!?!?! when did that happen?
> >>
> >> PHP, according to many security people far more knowledgeable than me,
> >> continues to suffer from design flaws in the core. Now add in the
> rampant
> >> proliferation of poorly coded add-ons and you get the mess that is PHP.
> It
> >> make Java look good.
> >>
> >
> > I'd actually like to see some site where the security issues of PHP are
> > discussed.  Most of the things I've seen have to do with either old
> versions or
> > various "core" modules that may or may not be used in particular scripts
> but I
> > really do want to know what it is these security people find to be a
> problem
> > (partly so I can verify my own installations and ensure there's no major
> issue).
> >
>
> Software security is hard.  I have doubts that any non-expert can secure
> any
> language enough to put code on the internet.  There are many books,
> tutorials,
> best practices and groups trying to improve the security of software. The
> best
> group trying to create secure websites and web-apps seems to be the OWASP
> groups.
> * https://www.owasp.org/index.php/How_to_write_insecure_code
> * https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
> but there are many others, usually aligned with each language.  I know the
> Perl
> guys take security very seriously and have since the mid-90s, if not the
> beginning.
>
> I know a few professional PHP programmers and believe they are experts in
> the
> language AND in creating secure code as well as possible with the tools
> allowed.
> They've also been blindsided a few times when core libraries had poorly
> thought
> out implementations or buggy code was released. That happens with many
> languages.
>
> From an outsider viewpoint, it seems that php has more of those issues than
> other languages. Perhaps it is just a publicity problem with the language?
>
> Regardless, we all learn to rely on outside expert opinions in areas where
> we
> cannot become an expert.  The security experts to which I listen will not
> put
> php code on the internet and only allow it internally when accessed
> directly
> from the corporate network or over a VPN. While I have a slight interest in
> software security, none of it includes trying to make php programs better.
>  I'd
> prefer to make multithreaded C code safe for direct internet use - it
> would be
> much less painful. ;)
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/a402dccb/attachment.html>

More information about the Ale mailing list