WingNews logo WingNews
top | item 8803056

(no title)

imanaccount247 | 11 years ago

PHP is full of problems that lead directly to security vulnerabilities if you aren't constantly aware of them and very careful when writing your code. So when someone who doesn't know those problems (most people) "hacks together" something that "just works", it is almost always providing a backdoor into that server. Once you do learn a little, you find that every scripting language is just as easy to work with as PHP (if not easier) and much safer. So why use PHP over perl or python or ruby or even javascript? They just aren't compiling into apache for no reason.

discuss

order

zapt02|11 years ago

Does Perl, Python or Ruby have built-in automatic escaping and sanitization? I would not call PHP less safe than any of these languages.

On top of that all three of those languages require additional setup. (Especially Ruby with RoR shudder)

d23|11 years ago

Generally speaking, tutorials in those languages recommend using the paramatized versions of the queries rather than string concatenation and manual escaping. The official docs from these more well-designed languages would have copious warnings against attempting to escape user input yourself, rather than having numerous functions baked into the language to help you do just that (e.g. `mysql_escape_string`, `mysql_real_escape_string`).

karavelov|11 years ago

Actually yes - perl has a tainted mode (#!/usr/bin/perl -t) that force you to sanitize every input from the outside world. It does not do the work for you because it is agnostic to semantics (escaping for shell is different than escaping for SQL for example) but at least make you think about the problem.

imanaccount247|11 years ago

>Does Perl, Python or Ruby have built-in automatic escaping and sanitization?

No, of course not. That's very much the point. PHP's broken attempt at that created security holes.

>On top of that all three of those languages require additional setup

No they don't. It is just that someone else has already done the setup for you with PHP at most cheapo hosting companies. Installing python is no harder than installing PHP.

>(Especially Ruby with RoR shudder)

You are comparing a framework to a language. Rails is no harder to setup than any of the PHP frameworks like zend or symfony.