PHP.net Compromised 189
An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."
I can predict the future (Score:5, Insightful)
I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.
But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.
Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.
But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...
Oh wait.
I can predict the future, I am going to die a bitter and angry nerd.
Re:It was already a dangerous site to visit ... (Score:4, Insightful)
As a mild Java fanboy, I feel compelled to mention that real Java isn't really locked in to a single vendor, as the reference implementation (OpenJDK) is open-source. However, the reference implementation lacks a lot of the features that aren't real Java, that Sun and Oracle have so kindly implemented in their own versions. A careful Java developer isn't locked in, but a careless one easily can be.
Re:It was already a dangerous site to visit ... (Score:4, Insightful)
Silverlight and .Net are the same. Silverlight is simply a subset of .Net that runs in a browser plugin environment. Flash runs like that more commonly than not. Java came with a browser plugin from day 1. Silverlight was simply a catch-up attempt by Microsoft, back before HTML5 made those plugins irrelevant. Throw it in the too-little-too-late bag, but don't confuse it with a real framework.
Also, you're wildly misinformed about the extent of lock-in. Flash is single-vendor, but there are several knock-offs that claim at least partial compatibility. The rest of your examples aren't even close to locked-in. .Net is multi-vendor, as there are several non-Microsoft versions of it (Mono isn't the only one). Java has even more vendors, providing various JVM's and front-end languages that will compile to bytecode. Heck, one of the most widely used Java app servers is Tomcat, and that's made by Apache. It can be paired with any of the compliant JVM's with relative ease.
Meanwhile, the GP is getting all angry about someone insulting their language of choice. Lighten up. Nobody is going to take away your precious PHP. Hell, my career got its start as a "professional PHP developer". Even at the time, it was something I joked about, and this was a decade ago.
The fact is, PHP is ridiculously easy to use, even for a newbie developer. And because of that, there are a lot of newbies using PHP, making the mistakes that newbies inevitably make. This would be OK if they were still in school or developing a Personal HomePage (thanks, retconning!), but when they make this crap in the workforce, it crystallizes into production code and then we (all of us) have to maintain their steaming pile of newbieness forever. Mostly, I blame management for allowing this to happen. But its much easier to fight off newbies and their PHP by requiring more newbie-proof development technologies in the workplace.
I'm a programmer that does web, web service, desktop, command line, and mobile development for large scale data management and real-time reporting. I no longer use PHP because it is incapable of doing what the software I write does. It's simply the wrong tool for the job, including the web portions. If you want to introduce yourself to web programming, by all means, use PHP. And once you've learned it, know HTTP inside and out, know request/response interplay like the back of your hand, and can set headers, dynamically generate formatted and unformatted data, and in general, use the response body as your bitch, then you don't need PHP anymore and can (and should) move up to something more scalable.
And before you say "PHP is scalable because Facebook uses it", keep in mind, your what the parent post already noted (emphasis mine):
Facebook's version is scalable and has good performance. Stock PHP is mediocre. And you can't afford Facebook's clustering and load-balancing setup.
Re:It was already a dangerous site to visit ... (Score:2, Insightful)
What do I care about a scripting language's performance. The bulk of my work is basically using scripting languages as glue and display functions for RDBMS queries. The amount of cycles the interpreter/JIT/whatever has to consume is dwarfed by the cycles eaten up by the SQL database.
Re: It was already a dangerous site to visit ... (Score:5, Insightful)
Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.
Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.
Re: It was already a dangerous site to visit ... (Score:5, Insightful)
That is quite possibly the worst idea I've ever heard. So I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language), or a very complicated system for the compiler to implement. Then as a user I not only need to remember what the parameters are for every function, but what they were named? Which basically means it would need to be looked up every time, because I am not remembering all that. You're looking at an order of magnitude slowdown in writing code. Just a stupid idea.
Re:You Sound Like One Of Those (Score:5, Insightful)
Well, the strip is from 1995. Did you expect them to convert the whole archive to PNG just to make a few nerds feel better?