On Thu, March 1, 2012 2:38 am, John Crenshaw wrote: >> You might consider those scripts poor programming practice. We all >> do. >> But PHP is the language of the unwashed masses, and that was, and >> is, >> part of why it is hugely popular. Somebody who barely understands >> programming can pound away at the keyboard and write a bloody useful >> web application, breaking 10,000 Computer Science rules along the >> way. > > And in 20 minutes I can hack into that application 20 different ways. > This isn't really PHP's fault...or is it? By deliberately catering to > the lowest possible denominator is it possible that PHP itself > contributes to the proliferation of wildly insecure web sites? I do > understand the "unwashed masses" argument, and yet, the security geek > in me sometimes questions how "good" this is. > > (Before someone flames me, I'm not really saying that we should scrap > any foundational principles or tell basic users to go hang themselves. > This is mostly philosophical musing.)
We make concerted efforts to educate scripters, by posting the same thing in all our blogs. Even if all they understand is "Don't do this!" it's good enough for most of them. Other times the decision was made to just deprecate a "feature" and provide a migration path, if suitable, but spread out over major releases: PHP x.0: Feature is bad, but there PHP x+1.0 Feature is E_DEPRECATED (or documented as such before E_DEP) [This is the bit where a LOT of scripted edumacation has to happen.) PHP x+2.0 Feature is just gone. People who completely ignore docs or don't upgrade remain vulnerable, but there's not much you can do without making life miserable for a bazillion developers. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
