PHP.net Compromised 189
An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."
Oh the irony (Score:5, Funny)
You Sound Like One Of Those (Score:1, Funny)
You sound like one of those Java fundies. [dilbert.com]
STFU, Doucharonimous.
Re:You Sound Like One Of Those (Score:5, Funny)
Here's a better URL [dilbert.com] without all the superfluous Web 2.0 crap around it.
Re: (Score:2)
Re: (Score:3)
I didn't even realize that they were still using GIF instead of PNG. This proves Dilbert.com is run by a PHB.
Optimized GIF: 29019 bytes.
Optimized PNG: 24356 bytes.
Re:You Sound Like One Of Those (Score:5, Insightful)
Well, the strip is from 1995. Did you expect them to convert the whole archive to PNG just to make a few nerds feel better?
Re: (Score:2)
How about saving bandwidth? Even the latest ones are still in GIF. You may think 4-5KB isn't much, but how many people read Dilbert every day?
Re: (Score:2)
Lots of people. How many of those read 18 year-old Dilbert cartoon's every day?
Judging from their site, they're not worried about 5k here and there. They could trim significantly more than that off fairly easily.
Re: (Score:2)
Re: (Score:2)
Why not?
It's supported everywhere as there are countless old gifs still in use. There also appears to have been a fairly recent resurgence in animated gifs (PBS) [youtube.com]. You see them all the time these days being used as an alternative to short movie clips. To my knowledge, there is no viable replacement for those yet. Attempts like apng and mng never got off the ground.
There isn't even any ideological reason to call for the elimination of the format. Even the burnallgifs website has moved on.
In short: The form
Re: (Score:2)
Yes to stay updated with the technology. :P
Re:Oh the irony (Score:5, Funny)
It's Microsoft's fault. The URL for PHP is php.net, which means it's .NET and hence the reason for being compromised.
The malware was distributed via Javascript, which has Java in its name, which means it's also Oracle's fault.
Re: (Score:2)
Re: (Score:2)
Either that, or missing mysql_escape_string.
Re: (Score:2)
It was already a dangerous site to visit ... (Score:5, Funny)
... it introduced visitors to PHP.
Re: (Score:2)
Battle Scars (Score:2)
Almost every language in common use has some stupid ideas in it that make one want to slap the makers. (Although maybe Php deserves 2 slaps.) A lot of it is stretch marks from growth. Any successful language (usage-wise) that's been around a while will probably have battle scars. New languages don't have enough features, and mature languages have convoluted features due to growth and the maturing process.
Re: (Score:2)
yeah, but this is PHP - a fractal of bad design [veekun.com].
Re: (Score:3)
Know what's sad? You don't know how awful that page really is. You actually think it contains something of value.
Here's a fun exercise. From that pile of garbage, make a list of points of fact, eliminating any point that is opinion.
Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.
Still think PHP is a "fractal of bad design"?
It looks like he got rid of the NaN != NaN nonsense poi
Re: (Score:2)
I'd rather bash people with no sense of humour who feed trolls.
It's even easier than bashing PHP.
Re: (Score:2)
Hi, girlintraining.
I'm no troll. I was there (on the internet, not physically present) when Tim Berners-Lee announced the World Wide Web and I happened to notice while using Gopher. I downloaded and installed the first web browser and went to http://info.cern.ch/hypertext [info.cern.ch] to see what was up with this new thing. I advocated and used PHP when the acronym stood for Personal Home Page. Back when everyone was banging out custom CGI scripts in Perl, it looked pretty cool. And for awhile it was. I rolled ou
Re:It was already a dangerous site to visit ... (Score:4, Interesting)
I was on the internet, er, before it was the internet. -_- That doesn't mean anything as far as statements made about today.
Agreed. But you came screaming out of the gates with a hard core ad-hominem attack (Troll!) in response to what amounts to little more than a joke. Touchy much?
That said, I was on the internet-before-it-was-the-internet back in 1980. Just out of curiosity, what's your magic date?
I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.
I calmly stand by my snark, perched atop the mountain of experience.
And I stand by my statements, that PHP would be one of my top picks for back-end design and dynamic pages. It is easy to read, has reasonably good performance, and reasonable security. But no language can stop people from shooting their own foot off if they're so determined, and your grevance seems to be not with the language itself, but with the fact that so many people shoot their own foot off while using it. The only problem I have with PHP is that the designers seem utterly incapable of understanding OOP concepts and the result is half-baked objects. But then, I say the same thing about Java.
You're reading a lot into my jokey original one-sentence post. Grievance (grevance)? I've used PHP. Found it wanting. Moved on. End of story. What's driving your zealous PHP advocacy?
Re: (Score:2)
What's driving your zealous PHP advocacy?
Ask a stupid question, get a stupid answer. [xkcd.com]
Note that you're being perceived as wrong, not that you actually are. I certainly don't have the experience to say which of you is right (or more right, as the case may be)
Re: (Score:2)
What's driving your zealous PHP advocacy?
PHP has lots of add-ons that make it very powerful like: PHPExcel for churning out a spreadsheet, TCPDF for creating a PDF, PHPMailer for sending an email, etc. I don't know if other languages have these but they are simple to use in PHP.
It is true you can write a crappy application with security holes like swiss cheese in PHP. But you can do that in any language. If you're going to write 'good' programs there are quite a few web principles like sanitizing input that you MUST learn.
On the other hand, I t
Re: (Score:2)
. A better approach, I feel, is to turn PHP on in the first line and don't turn if off until the last line. If you want to send some HTML, use an echo statement.
I feel like someone made Poe's law into a truck, and hit me with it.
Re: (Score:2)
I feel like someone made Poe's law into a truck, and hit me with it.
Best post of the thread. A tip of the hat to you.
Moderators, mod parent up, please.
Re: (Score:2)
I've used PHP. Found it wanting. Moved on.
Why did you find it inadequate? With what did you replace it?
Re: (Score:2)
Wow, so basically all you know is PHP and thus think it is the bees knees.
No point in showing you the error of your ways because you won't understand the differences.
Here is a short list(in no particur order) of better languages for web:
Java ...
C#
F#
Python
Ruby
Perl
Ocaml
nodeJS
Lisp
C
C++
Smalltalk
Haskell
Scala
Clojure
Re: (Score:2)
utterly incapable of understanding OOP concepts
Funny thing is, I've been OO programming for fifteen years now, and splitting up requirements into sane objects is hard. When I do get it right, I spent abnormal amounts of time thinking about them. It's rare to see well-thought out design.
Re: (Score:2)
The only problem I have with PHP is that the designers ...
Your problem lies in your belief that PHP is the result of actual design and forethought.
Re: (Score:2)
It is easy to read, has reasonably good performance, and reasonable security.
You can not be serious.
Re: (Score:2)
Re:It was already a dangerous site to visit ... (Score:4, Insightful)
As a mild Java fanboy, I feel compelled to mention that real Java isn't really locked in to a single vendor, as the reference implementation (OpenJDK) is open-source. However, the reference implementation lacks a lot of the features that aren't real Java, that Sun and Oracle have so kindly implemented in their own versions. A careful Java developer isn't locked in, but a careless one easily can be.
Re:It was already a dangerous site to visit ... (Score:5, Interesting)
It's not that hard to be careful - just avoid the com.sun.* and sun.* namespaces. Eclipse even filters those out (of autocomplete and Organize Imports) in the default configuration.
Re:It was already a dangerous site to visit ... (Score:4, Insightful)
Silverlight and .Net are the same. Silverlight is simply a subset of .Net that runs in a browser plugin environment. Flash runs like that more commonly than not. Java came with a browser plugin from day 1. Silverlight was simply a catch-up attempt by Microsoft, back before HTML5 made those plugins irrelevant. Throw it in the too-little-too-late bag, but don't confuse it with a real framework.
Also, you're wildly misinformed about the extent of lock-in. Flash is single-vendor, but there are several knock-offs that claim at least partial compatibility. The rest of your examples aren't even close to locked-in. .Net is multi-vendor, as there are several non-Microsoft versions of it (Mono isn't the only one). Java has even more vendors, providing various JVM's and front-end languages that will compile to bytecode. Heck, one of the most widely used Java app servers is Tomcat, and that's made by Apache. It can be paired with any of the compliant JVM's with relative ease.
Meanwhile, the GP is getting all angry about someone insulting their language of choice. Lighten up. Nobody is going to take away your precious PHP. Hell, my career got its start as a "professional PHP developer". Even at the time, it was something I joked about, and this was a decade ago.
The fact is, PHP is ridiculously easy to use, even for a newbie developer. And because of that, there are a lot of newbies using PHP, making the mistakes that newbies inevitably make. This would be OK if they were still in school or developing a Personal HomePage (thanks, retconning!), but when they make this crap in the workforce, it crystallizes into production code and then we (all of us) have to maintain their steaming pile of newbieness forever. Mostly, I blame management for allowing this to happen. But its much easier to fight off newbies and their PHP by requiring more newbie-proof development technologies in the workplace.
I'm a programmer that does web, web service, desktop, command line, and mobile development for large scale data management and real-time reporting. I no longer use PHP because it is incapable of doing what the software I write does. It's simply the wrong tool for the job, including the web portions. If you want to introduce yourself to web programming, by all means, use PHP. And once you've learned it, know HTTP inside and out, know request/response interplay like the back of your hand, and can set headers, dynamically generate formatted and unformatted data, and in general, use the response body as your bitch, then you don't need PHP anymore and can (and should) move up to something more scalable.
And before you say "PHP is scalable because Facebook uses it", keep in mind, your what the parent post already noted (emphasis mine):
Facebook's version is scalable and has good performance. Stock PHP is mediocre. And you can't afford Facebook's clustering and load-balancing setup.
Re: (Score:3)
I appreciate your input. Still, no one has come up with what the next step after PHP is. Ruby? Perl? Python? It's not like there's someone out there going "ooh, good job on that PHP website and the work you're doing looks like you understand what you need. Now that you know that, you should start using JQuery to replace the hacked up Javascript and Forth to build websites. Here are a couple of good websites to get you transitioned from PHP to Forth."
It's cool and all to denigrate the folks who are trying bu
Re: (Score:2)
Hmm, my experience with Basic (ibm basica and gwbasic with some quickbasic and other flavors) and C (Turbo and Microsoft mostly), my experience with RDBMs (dbase III+ and Paradox), my experience creating websites using vi. Add in my experience as a sysadmin using edlin, qedit, and vi plus experience with awk, sed, sh, ksh, bash, plus perl scripting. Then my searching around 6 or 7 years ago brings me to all the discussion over the years about LAMP; Linux, Apache, MySQL, PHP (although now it includes Perl an
Re: (Score:2)
Clueless sysadmins (and programmers) do indeed bring a bad rep to PHP but correctly implemented and managed, it can be a great asset. What alternative do you suggest? Node.js? Who runs that and .NET? Really?
Re: (Score:3)
I'm pretty sure it's PHP that gives PHP a bad rep.
Re: (Score:2)
"Who runs that and .NET? Really?"
I'm intrigued to know your justification for disparaging .NET over PHP. Care to elaborate and expand upon that?
Apart from it's lack of cross-platform support it's much better. It performs better, it has better tools, a much better framework, the language is much better thought out and has far less issues, allows for much faster development on all but the most trivial of projects, has a much healthier feature set (i.e. proper threading support) and it's got a far better track
Re: (Score:2)
Yes, it's lack of cross-platform support is pretty much the biggest issue here. You require thousands of dollars in Windows license to run a single .NET site. The tools are proprietary and costly and having used Visual Studio, I think Eclipse and even Xcode still beats the pants of off it as far as usability goes. .NET is also (or at least should be) a compiled language very similar to Java and it has the same downfalls as Java (if you've ever supported anything-Beans or Tomcat, you know what I'm talking ab
Re: (Score:2)
"Yes, it's lack of cross-platform support is pretty much the biggest issue here."
But that's not an inherent problem with it, it's a design choice of the technology and it has advantages and disadvantages - whilst you can't easily use it on non-Windows platforms, you do get to do things Java simply can't do easily because Java can't assume what functionality an OS will provide so can only encompass the lowest common denominator as standard whereas .NET can provide access to everything the OS offers.
"You requ
Re: (Score:2)
PHP is on its way out, thank the gods.
It doesn't appear that way. The data suggest the exact opposite.
Why? Probably due to the lack of a viable alternative. Well, that and the fact that PHP isn't the disaster incompetent Slashdot users seem to think it is.
Re: (Score:2)
Even the shift toward JavaScript on both sides is full of epic failure (after all, we're talking about JavaScript here, which is only marginally better than the other client-side messes it replaced).
JS on the server full of failure for many reasons, but the language isn't one of them. It's surprisingly sophisticated. There's a video series on youtube called "Crockford on JavaScript" that you should check out.
The fundamental problem with PHP is that it has roughly 15 years of crufty functions with nonexistent naming conventions and senselessly-random parameter orders
That's pretty much it. Function names and parameter order. It's a shame that it's basically impossible to fix at this point. Then again, they might not want to fix it.
PHP's biggest problem is that it's ridiculously easy to use. I can rant about why that turns insecure developers away from a la
Re: (Score:2, Insightful)
What do I care about a scripting language's performance. The bulk of my work is basically using scripting languages as glue and display functions for RDBMS queries. The amount of cycles the interpreter/JIT/whatever has to consume is dwarfed by the cycles eaten up by the SQL database.
Re: It was already a dangerous site to visit ... (Score:5, Insightful)
Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.
Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.
Re: (Score:2)
He said WITHOUT major design flaws.
Re: (Score:2)
Ahhaa, Python, yes. The only language I've come across where if someone is using tabs and the other is using spaces (or worse, their editor substitutes spaces for a tab), the code will break.
I happen to like Python, but man that was an easy one to deconstruct.
Re: (Score:2)
i don't think that really qualifies as a major design flaw. For example, we don't use python (rather, perl, ugh) but the requirement is that code follow standard formatting. Which is a certain number of spaces per indent level. No tabs. My point is that this "major design flaw" wouldn't even come up if we switched languages to python. Its already covered by our coding requirements.
Re: (Score:2)
It's a major design flaw. It was made even worse when (allegedly) Guido said that if he were going to do it over again he'd require spaces instead of tabs. Because everyone agrees on how many spaces looks good, right?
And it's fun to count columns to figure out where the "if" block ends, right?
Also, while we're at it, any language with an "unless" statement is deeply flawed.
Re: (Score:2)
now you're betraying your bias. The number of spaces is not a fixed factor in Python so your comment is neither here nor there (though in practice the variation is almost entirely 2, 4 or 8 with most people using four spaces -- and that is irrespective of language, Python doesn't even enter into it). Any language with an unless statement is deeply flawed? Right...
I'd not seen that from Guido, but it makes a lot of sense. What you wrote sounds like: 1) you never wrote any significant amount of python code, 2
Re: (Score:2)
Tabs are simply not a good choice for indentation *regardless* of language because there is no standard for how to use them.
That's a stupid thing to say. Replace "Tabs" with "Spaces" and it's just as true.
If we use tabs, I can make them 1, 2, 4, 8, or 32 wide, whatever I prefer. If we use spaces, I have to agree with and accept whatever the team prefers. Seems pretty simple to me.
If you make a standard for how to use any character or set of characters for indentation, then there's a standard.
Oh, and while you're right, I haven't written much Python, I have written a WHOLE LOT of code in brace languages. I use IDEs that brace-mat
Re: It was already a dangerous site to visit ... (Score:4, Interesting)
It makes sense. The implode function can readily detect the difference between a string and an array through simple type introspection, but the explode function cannot do the same with two strings. Indeed, I would argue that for any function, if the parameters must be of a specific type that can be readily distinguished from the type of other parameters, there's no reason for the parameter order to matter.
Then again, I would argue that the entire notion of programming languages in which the order of arguments is significant is arcane and archaic. IMO, an ideal programming language should require that each parameter be explicitly tagged so that the parameter order never matters, or at a minimum that the order is never implied merely by position. Perl can sort of do this with a hash, Python et al sort of do this with named parameters, etc.
Such a design pattern makes it relatively simple to add additional optional parameters, because the order ceases to matter. It means that you can insert those new parameters in an order that makes logical sense, rather than having to add them at the end of the parameter list with an explicit check to see if the parameter list is empty before shifting off the next item so that you don't break backwards compatibility with existing clients. And so on.
Unfortunately, most programming languages still force you to choose between strict compile-time type checking and mandatory tagging. If you take parameters in a varargs stype, you can force mandatory tagging, but you lose any compile-time checks. If you take parameters individually in the function, somebody can still pass parameters positionally, at which point you lose the readability advantages of being able to reorder the parameter names as you add new parameters.
I get the impression that Python 3 allows you to force explicit tagging by adding "*" as the first parameter. It would be great to see similar functionality in all other programming languages; it just makes a lot more sense than trying to extract meaning out of order.
Re: It was already a dangerous site to visit ... (Score:5, Insightful)
That is quite possibly the worst idea I've ever heard. So I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language), or a very complicated system for the compiler to implement. Then as a user I not only need to remember what the parameters are for every function, but what they were named? Which basically means it would need to be looked up every time, because I am not remembering all that. You're looking at an order of magnitude slowdown in writing code. Just a stupid idea.
Re: (Score:2)
or a very complicated system for the compiler to implement
What's so complicated about doing it at compile time? When a function's called, compare the caller tags to the function definition tags and re-order them to match - no?
Then as a user I not only need to remember what the parameters are for every function, but what they were named?
It doesn't have to replace the current way of doing things. AviSynth [avisynth.nl] allows parameters to be specified either in order or by name.
Re: (Score:2)
Objective C pretty much does this. Functions calls look like:
[myColor changeColorToRed:5.0 green:2.0 blue:6.0];
Now I do appreciate here that the order isn't actually flexible, but I would argue that *is* a bad idea because it makes the code much harder to read. But what you do get is the named parameters part, which in my opinion is the more important part. This makes the code much easier to read.
Re: (Score:2)
Why would you need to remember what the parameters were named, when your code editor of choice will present you with a dropdox box of all the parameters when you type the function name?
Re: (Score:2)
No, dropdox isn't some kind of falling documentation.
I of course meant "dropdown box".
Re: (Score:2)
implode(array('glue' => ',', 'peices' => $stuff));
Eww. Just eww man. So much more typing and room for error for no benefit whatsoever except you can swap the order around.
Re: (Score:2)
It's horrible only because PHP doesn't build such functionality cleanly into the language. The ideal syntax looks more like this:
implode(glue => ",", pieces => $stuff);
Or even this:
implode(glue=",", pieces=$stuff);
And you're very wrong about reordering being the only benefit. Named calling parameters also provide much-needed information about what the parameters actually do when you're looking at the function call itself, without which you must mentally cross-reference the original function d
Re: (Score:2)
Thats nothing
*THAT* is a worm. Insert that into some PHP code and you have a back door.
Sometimes I wonder if the NSA are responsible for PHP.
Re: (Score:2)
oh yeah of course it was bound to strip out the nice PHP code. Heres a URL
http://www.madirish.net/454 [madirish.net]
Re: (Score:2)
The disable_functions config option kills that code instantly.
Re: (Score:2)
Re: (Score:2)
Do you understand this little hook of code? Its amazingly easy to hide in amongst other PHP code and can be nicely obfuscated.
PHP is bad for allowing such a hook to be possible.
Re: (Score:2)
It's also easy to spot. As a rule, eval should be a security red flag in pretty much any programming language. The only even semi-valid reason to use it is for certain types of shell scripting, where it can be unavoidable. In fact, it ranks right up there with system() in the red flag handbook.
Re: (Score:2)
Hmm. I recall a an analogous bit from the Perl documentation - I don't recall the specifics. And C has lots of WTFs, not least of which is the syntactic mistake of allowing 'if ( a = b )' to be valid, leading to thousands of hours of debugging time when programmers accidentally forget the second ==. We've all done it, many times. I recently found an example that had lain in wait for a couple of years, as that particular piece of code was only rarely executed, and most of the time the fact that 'a' was b
Re: (Score:2)
Not true. Assignment in BASIC is Let (or Set) A = B, whereas comparison is A = B.
I agree that the unfortunate fact, that for most current BASIC dialects the 'Let' is optional, results in the confusion you were referring to. But you can't blame a language for terrible/lazy programmers.
Re: (Score:2)
If you think the difference between imperative programming languages goes much beyond syntactic sugar then I don't think you really understand computer science.
You know a sophomore when they start whining about how childish Visual Basic is. If you can write something well, you can write it well in VB. You might prefer not to, but you should be able to do a fine job of it.
Re: (Score:2)
That's a runtime library issue.
Although maybe your argument is that a language should be judged when accompanied precisely by its standard runtime libraries.
I can predict the future (Score:5, Insightful)
I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.
But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.
Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.
But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...
Oh wait.
I can predict the future, I am going to die a bitter and angry nerd.
Re: (Score:3)
Thanks for the new quote.
FTFY: I can predict the future (Score:2)
Re: (Score:2)
At least you will have lots of company in the afterlife.
Re: (Score:2)
Ruby? Don't you mean Rails? That wasn't a problem with the Ruby itself. Just like Wordpress bugs are not PHP bugs. I'm deliberately not including application bugs - the track
Re: (Score:3)
PHP has been objectively worse than practically every other language.
Objectively, you say?
Give it a go. How is it "objectively" worse than other popular languages?
This ought to be hilarious!
Re: (Score:2)
Note the context you neglected was core language design mistakes rather than implementation mistakes. Implementation mistakes while bad can generally be fixed without breaking anything. PHP has had more than it's fair share of those too.
Compared with other languages I've used over the last 15yrs, PHP has been the standout one that seems to have to put convenient but insecure by design functionality (eg register_globals, magic_quotes etc) on a long many year cycle of recommending against using it, deprecatin
Re: (Score:2)
So you don't actually have an answer then.
Color me surprised.
"There was this one feature that was a potential security hole that has been disabled by default for more than a decade!" Doesn't exactly make your case!
I'll gladly take back the word "objectively" though if you want to provide examples of other popular languages being just as bad as or worse than PHP in this respect.
Languages with security issues they've been forced to fix? What's the comment size limit again? Do languages with massive security issues "by design" that cannot be fixed without fundamentally changing the language count as well?
Pitiful. If you don't like PHP, fine. All I ask is that you don'
Re: (Score:2)
It seems you are the one without an answer. Where are your examples that show other popular languages to be as bad as PHP has been then?
The view that PHP doesn't have a comparatively shoddy security record is the extraordinary claim here and the one that needs evidence. I could just as well ask that your personal preference doesn't get in the way of you being rational and objective.
As I said, I'll gladly retract my statement - just show me how other popular languages are as bad or worse.
Re: (Score:2)
OK OK you got me... I completely retract my claim 100%. I was just talking "drivel".
Now to show you're not really just a troll and actually are a PHP fanboy*, why don't you tell us why you think PHP is at least as good as other popular languages.
* Having never met one before (even at well attended PHP user group meetings), I didn't realise PHP fanboys even existed.
If you really are a fanboy, what are the good or even great things about PHP? What attracts you to it? Is it the internal consistency? The elegan
Re: (Score:2)
Really? Asking for somebody to demonstrate a wild claim results in your turning it around and demanding proof that it isn't true?
Okay, I'll say that it is objectively true that there is life on Mars.
No, no... I don't have to *defend* that statement. The onus is on *you*, Buckaroo, to demonstrate there *isn't* life on Mars.
Wow, this makes putting out claims much easier. Thank you for your logic, AC.
Re: (Score:2)
It's been shared too much. It's complete and total garbage.
I offered this earlier: From that incompetent screed, make a list of points of fact, eliminating any point that is opinion.
Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.
To save some time, you could first eliminate anything that exposes the authors distaste or misunderstanding of dynamic typing. That should make the tas
Re:I can predict the future (Score:5, Informative)
I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past.
You know, I'm going to have to disagree with you on this one.
I'm not saying that other languages are perfect, far from it. But the PHP world, by and large, is inhabited by people who don't really understand security. I've worked in it for a long time, and in every single application and library written in PHP that I encounter, I find results that show signs of knowing of, for instance, the existance of concepts called "SQL injection" and "XSS attack" but no understanding of what those things actually mean beyond taking some boilerplate kinda-solution in most but not all relevant locations.
By contrast, the libraries that Java and Python and Ruby provide, both out of the box and in third-party packages, tend to have been designed to make those kinds of attacks difficult to open yourself up to. The documentation for those packages emphasizes the security risks and concerns, the developer communities do everything they can to reduce those risks, and the result is that there are fewer minefields.
And that is why, in this paper [iseclab.org], a whopping 80% of SQL injection and a disproportionately high number of XSS vulnerabilities are from projects that were written in PHP. It's possible to do the right thing in that language, but the evidence is fairly strong that developers focused primarily on PHP don't.
Re: (Score:3)
If you read the paper, you'll discover that about 50% of the projects examined use PHP, so the 80% number is disproportionately high.
Re: (Score:2)
Actually, it's more that PHP makes it easy to suck at those things. For example, mysql_query(), with no parameterization support, is something that should never have existed, and for a long time was the only way to do mysql queries.
Re: (Score:2)
exactly this. I was astounded when I discovered PHP and the world of vulnerabilities it introduced. Using PHP before 5 is just not a good idea, and that is a very sad statement to make about a *language*. I use PHP at times (it is scary fast to develop in), but in general I prefer other languages.
Re: (Score:2)
Here's what I think: If you know what you're doing, doing things the right way takes no longer than doing things the wrong way when you start.
Example [veekun.com]
So the end result is that it's a lot cheaper to do things the right way, because you start off almost as fast, and end up not having to slow down to deal with the headaches that exist as the thing gets larger.
And if you're one of those types that likes a CMS, try Mezzanine [jupo.org] and tell me if it's still hard to get something other than PHP up and running.
Re: (Score:2)
Re: (Score:2)
I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.
But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.
Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.
But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...
Oh wait.
I can predict the future, I am going to die a bitter and angry nerd.
I use Perl.
How do I fit in here?
Re: (Score:2)
or, we could try to educate people about how ridiculous it is that PHP is the only language to have non-stop vulnerabilities *in the language* and, even worse, all the cool things they are going to install to go with it are riddled with even more vulnerabilities, to the extent that running a site in php is next best thing to just posting site credentials online.
Yes, the reason vulnerabilities are so prevalent in modules is because PHP is freaking scary easy to develop so practically anyone can do so, even (
It's about time (Score:3)
It's nice to finally have some company down here in the basement.
-Java Plugin
Re: (Score:2)
So it wasn't hacked, and Google fucked up... (Score:2)
From php.net:
It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.
I'm idly curious if Google even
Re:So it wasn't hacked, and Google fucked up... (Score:4, Informative)
I'm concerned about this initial response. It is definitely wrong, unless they INTENDED to link to malicious code. The article in the header has an actual PCAP of an actual successful infection, including the data from the injected iframe, the malicious SWF files, and the PE payload they fetched. There's no doubt about this. I can confirm the payload is live.
See also: https://news.ycombinator.com/item?id=6604251
I'm more than idly curious if we can reach PHP.net via some other medium than their site which we surmise has been compromised, or if this is some form of coerced or deliberate backdoor.
However, what I think has happened is that this is the product of an Apache module: it's only serving the bad code once to any IP, and the access logs of course won't show it. You cannot trust the logs produced by a potentially-rooted computer.
This appears to be targeted watering-hole attack. This is certainly not a mere false positive. And there seems to be an awful lot of people trying hard to dismiss it. That said, this payload doesn't quite match any exploit kit I recognise.
And then I think who is high-profile, has a botnet that looks rather like this one, has what you could describe as a PR department, and could coerce PHP or Google into lying... and well, a certain agency comes to mind. Has someone taken Genie over, or is it still under the same C&C? Have they, or it, gone rogue as part of Turbine? Are they actually launching? I don't know, because the C&C just went dead...
Re: (Score:2)
Re: (Score:2)
Why should Google apologize because the php.net maintainers are idiots?
Uh oh... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Because when an attack is successful it seems like 9/10 times they exploited a bug or configuration issue via PHP?