On Wed, May 28, 2014 at 9:28 AM, Steve Meyers <[email protected]> wrote:
> On 05/28/2014 08:06 AM, Stuart Jansen wrote:
>>
>> That's not entirely true. The risk is much higher when you're using an
>> API created by people who think functions like addslashes() are a good
>> idea.
<snip>
> However, the original intent was to basically provide wrappers for C
> functions. The real problem was that it was so easy to use, that people who
> weren't trained C programmers were using it, and they didn't have the
> knowledge or experience to use it correctly. I don't think that necessarily
> makes them idiots for including addslashes(), just stubborn.
>
> If you're going to bash a decision regarding slashes in PHP, it's much
> easier to bash magic quotes. I think that was an attempt to maintain the
> simple C-wrapper style of PHP, while protecting the idiots who were using
> it, but it just made things worse.
I'm not seeing anything here that fundamentally disagrees with your
quote of Stuart. PHP started out extremely brain-damaged and reached
the height of its popularity in that state. A whole lot of really bad
code was written and a whole lot of people learned it as their first
exposure to programming. It remains backward-compatible with all
that, and a lot of people who had no idea what they were doing but
managed to slap some pages together and get paid for it are happy to
share how they did it. There are sensible alternatives available now
in PHP to people who know how to recognize them, but it's not an
environment I'd recommend a novice wade into unprepared, especially
since there are very nice ways to build web services in other
languages without all the baggage.
--Levi
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
