[nycphp-talk] "The Web is broken and it's all your fault."

David Krings ramons at
Fri Sep 15 12:04:01 EDT 2006

At 09:40 AM 9/15/2006, you wrote:

>First, get rid of this stuff ... $_GET['badstuff'] and all incoming
>defined variables period.  As long as it exists in the language
>people will complain about security ... Im suprised there is no fork
>of PHP to form a SecurePHP variant that takes this out or has strong
>wrappers for it (see 3).
>- Jon

I am not entirely clear what you criticise. Is it the GET or that fact that 
subitted values from an HTML form get piped into an array that carries 
always the same name ($_GET or $_POST) or the fact that it gets stuffed 
into an array altogether?

I think one can create code to secure PHP scripts, so it is not that it is 
impossible (maybe it is), it is just that it is hard work and doesn't show 
anything pretty in the browser window.


More information about the talk mailing list