Martin B�hr wrote:
On Sun, May 15, 2005 at 05:36:12PM +1200, Steve Holdoway wrote:by default, register_globals = off. Then you've got safe_mode = on to further reduce the information and access available on the server. Personally, I write my own code, so that of other people rarely impinges on me. Coding standards *should* address the rest. I think you should point the finger more at the analysis phase of a project, which a generation brought up with M$ tools seem to skip completely.
Now that doesn't include those brought on by poor scripting, of which there are plenty ( like phpBB only a couple of months ago ). But pointing the finger at the programming language in these cases is rather unfair.
there is the rub.
because php is so easy to insert into html,
people use it without learning to properly code first.
they just copy pieces of code that they do not understand themselves and
make them work. php thus encurages bad coding (register_globals?)
and there is so much bad code out there that it is hard to find the few
good pieces of which yours might be one.
as a service provider where you need to allow users to run their own php
code, you can not point to a particular piece as being insecure, because
you don't know what the users are running. hence you end up lumping them
all together into "php is a security nightmare"
As an isp, you'll be running your web servers jailed anyway?
Anyway, that last sentence is like my own personal sentiment that 'KDE is crap', which was true when I first tried to use it. What relevance it has to the current version of KDE is irrelevant, because the damage has been done to my thinking. However, personal opinions should be of less importance when running an isp.
i don't deny that there surely is good php code out there, and there is certainly also bad code in other languages. but the signal/noise ratio
for php is just worse than other languages so i tend to stay away from
it.
Is, or was?
As an ISP, I think you're failing to re-evaluate the tools out there on a regular basis. Yes, php did have the odd security hole, but, *none* have been found for over 3 years. I'd look more at using release candidate webserver software ( Caudium/1.4.4 RC1 ) or old versions ( Apache/1.3.26 ) as a far greater potential for damage than whether or not to support php.the track record of php apps makes code reuse very hard and creates extra work for me. perl has it own problems. both were not designed to create large applications. leaves python and pike of which i prefer pike for the reason i gave among others (even though i very much like the syntax of python as it encurages writing good code)
greetings, martin.
For large applications you should be looking at compiled languages - C, C++, Pascal,... all of which are far more mature than python, pike and the like. Anyway, the choice of language is far less important than a proper design framework, and things like portability, maintainability, and just about every other kind of -ability should be considered in your choice, not just personal perference.
Steve.
