NYCPHP Meetup

NYPHP.org

[nycphp-talk] "The Web is broken and it's all your fault."

Rick Olson rolson at aeso.org
Fri Sep 15 22:41:42 EDT 2006 

Jon Baer wrote:
> I partly blame the language ... I know of alot of people who complain  
> about Java's strict typing/sandboxing + find it cumbersome and have  
> to explain its there for a good reason.
>
> First, get rid of this stuff ... $_GET['badstuff'] and all incoming  
> defined variables period.  As long as it exists in the language  
> people will complain about security ... Im suprised there is no fork  
> of PHP to form a SecurePHP variant that takes this out or has strong  
> wrappers for it (see 3).
>   

huh?  Are you suggesting we remove user input from the language?

> Second, there needs to be a way to keep your shared libs and  
> extensions up to date programatically w/ some type of scanner or  
> method.  PHP is way too flexible and dependent on the system it sits  
> on ... first you have PEAR libs, PECL C libs, --and-whatever-else-you- 
> compiled-in.
>   
If you're referring to PHP internals:
There are package managers that can do this to some extent, but the only 
ones I'm familiar with were developed by people that don't understand 
module API changes, different host platforms, etc.. (What I'm saying is 
they don't actually work, they just surprise you with a broken system 
one morning).  Actually now that I read your comment again, what are you 
suggesting?  Removing PEAR, PECL, and extensions in general?

> Third, all the current PHP books (ok a few exceptions) on the shelf  
> should be tossed out or redone, sanitize() methods should be *built*  
> in to PHP (or $_SANITIZE['badstuff'])... ala http://www.owasp.org/ 
> index.php/OWASP_PHP_Filters, then republish all the books.
>   
In the event that you weren't suggesting the removal of PECL extensions 
earlier... http://pecl.php.net/package/filter
That will eventually become a part of the base system I imagine, once 
it's stable.  They were threatening to change the function names though 
a couple of days ago, but I don't think that'll happen before the 5.2 
release.

> After you build/compile/install PHP or as soon as you create a .php  
> file on your PC/Mac, a window with this URL pops up ... http:// 
> www.owasp.org/index.php/PHP_Top_5 ... in Ajax Web 2.0 style of course.
>   
That's going to suck for those poor souls developing in vim through a 
console to a remote machine...
> - Jon
>
>   
>> Number 2 is the real issue in my opinion.  The biggest problem is  
>> the low
>> adoption barriers.  When I've seen PHP code from developers that know
>> another language, it's generally good - just like code in any other  
>> language
>> from a good developer - it's good.
>>
>>     
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
>

More information about the talk mailing list