[Rolken]

Meat Miracle, on 06 April 2012 - 09:32 PM, said:

Eh, so just because people write idiot guides, the language is suddenly crap? I don't see the problem with the guide you linked to - it only covers forms, not security. It's basic information to get started with, but not something meant to be the backbone of your site. Yes, someone using just that guide would end up creating a honeypot without knowing, but if you blame people for being stupid and ignorant - and others for taking advantage of this - then you might as well blame the entire human race, not PHP.

I will freely admit that I am not entirely persuaded by your alternative suggestion of blaming the entire human race for being stupid and ignorant. I think I'll just keep focusing on using the best tools available to build the greatest systems I can with the most driven colleagues I can find. Call me crazy.

This post has been edited by Rolken: 09 April 2012 - 12:05 PM

[Sik]

Meat Miracle, on 04 April 2012 - 08:58 PM, said:

Because the things you mentioned, sql injections through forms - either GET or POST - are so basic that I'm honestly surprised that they still work on some sites.

The problem is that SQL requests are essentially passing a small piece of code to an interpreter, and as you can imagine things like strings and such need to be properly escaped to not mess with the language syntax... and most lazy programmers will completely forget to escape the user input.

[Rolken]

Well, in a random bit of timeliness, Eevee has put way waaaaaaaaaay more effort into detailing PHP's issues than I ever would. Yikes. If you prefer 100 paragraphs to 100 words, he's got you covered.

[Metal Man88]

All of that said, use Built queries and mysqli to dodge the stupid SQL injection. Then avoid using as much of the "broken" stuff. Then you're fine. People who use other languages HATE PHP, but that doesn't mean you can't use it.

Peer pressure should not be a factor here.

[Overlord]

Let's also not forget that Ruby on Rails is also far from flawless: http://erratasec.blo...translated.html

[Sik]

Isn't that the very feature that eventually got removed from PHP for being too dangerous?

[ICEknight]

...Wait a second, so Ruby on Rails is less secure than PHP? I remember reading that some PHP-based frameworks such as CodeIgniter even added some extra security regarding code injecting through SQL.


If PHP is safer and its biggest problem is that it encourages to make subpar code, it sounds like it might actually be the best option right now...

This post has been edited by ICEknight: 11 April 2012 - 04:49 PM

[Sik]

ICEknight, on 11 April 2012 - 04:41 PM, said:

I remember reading that some PHP-based frameworks such as CodeIgniter even added some extra security regarding code injecting through SQL.

As I said, the real issue is programmers not escaping the data they pass to SQL. The real issue there is SQL, not PHP.

[Meat Miracle]

Rolken, on 10 April 2012 - 03:58 PM, said:

Well, in a random bit of timeliness, Eevee has put way waaaaaaaaaay more effort into detailing PHP's issues than I ever would. Yikes. If you prefer 100 paragraphs to 100 words, he's got you covered.

Honestly, I've seen a ton of those "why php sucks" articles and all seem to be splitting hairs to me. Some articles even mention PHP flaws as strengths and vica versa (ex. declaring globals in a function). The one issue I see logic in is the association direction for the ternary operator, but I just spell those out with switch/case. It's just easier to follow that way.

I'm not saying that the problems are not true though. I'm not a super expert coder. To me it seems that the biggest source of complains is that PHP grew so much that it became very inconsistent - with itself and with other languages. But that's expectable from anything that grows over so many years in my opinion...

ICEknight, on 11 April 2012 - 04:41 PM, said:

...Wait a second, so Ruby on Rails is less secure than PHP? I remember reading that some PHP-based frameworks such as CodeIgniter even added some extra security regarding code injecting through SQL.


If PHP is safer and its biggest problem is that it encourages to make subpar code, it sounds like it might actually be the best option right now...

No programming language is safer than the other if you write bad code.
Likewise no browser or OS is safe either, if you just click "ok" without ever reading any dialogs.

[Rolken]

Hey, whatever. I'm not here to "peer pressure" anyone into using particular technologies; I don't give a shit what you use. I was simply offering advice and context, as was requested. (And I guess nobody noticed that I pointed out the mass assignment issue on the first page.)

PHP is simply not the language actual experts and professionals choose for new projects in 2012. If that doesn't bother you, great. PHP might not flex your expertise but it won't kill you. Knock yourself out, have fun. If it does bother you, maybe you should ask yourself why it bothers you and figure out what you want out of programming. I personally love exploring new technologies built on fresh ideas, and getting paid handsomely for it is the icing on the cake.

Either way, arguing about it is pretty goofy.

[Metal Man88]

Sik, on 11 April 2012 - 03:43 PM, said:

Isn't that the very feature that eventually got removed from PHP for being too dangerous?

Yes, that's register globals.

Ultimately there is employment for almost all languages that are used enough. It comes down to what you like the best, for personal stuff.