NYCPHP Meetup

[Mitch Pirtle]

John Lacey wrote:

> First, the authors apparently don't know anything about PHP 4.2.0 
> which, I believe, was released over 2 years ago.  Ironically, their 
> next paragraph begins with "In the interest of convenience 
> (laziness?), some programmers..."
> Seems the authors were too lazy to check their facts.  It makes me 
> wonder if they've even bothered to research their subject to find a 
> file called php.ini-recommended.


They seem to be aware that the problem is not inherent to the language, 
but with lazy programmers.  How unfortunate that they then single out 
PHP as an insecure language, without looking at recent efforts to 
provide better security.

> Further down the page is this paragraph:
> "PHP is a study in bad security."    I believe that if the authors had 
> said something like "phpBB is a study in bad security"  they might 
> have stated the problem correctly.


That is hitting the proverbial nail right on the head.  There are a slew 
of PHP applications out there that commit grievous crimes regarding 
security.  Unfortunately, the PHP language is being singled out by 
non-PHP programmers that don't take the time to learn the language.  
They see the letters 'php' on bugtraq and immediately reach for 
pitchforks without attempting to get an understanding of what is really 
going on.

> So, before I send an email to these guys, is there anything else I 
> should point out?


I don't know a more secure scripting language than python - but other 
than that I can write shoddy code in just about any language you want.  
It is not only a disservice to the people that put so much effort into 
creating a language and give it away for free, but to anyone who is 
considering using that language in the future.  This sadly sounds like a 
perl/c programmer's typical and monotonous language-specific troll.

-- Mitch, feeling rather rambunctious