If there ever was a reason not to use PHP, it's Bugtraq reports like this one. Woo hoo! Any file-upload script can be told to act on any file on the system, because they confuse user-form variables with system control variables. Woo hoo. Another place where oversimplification leads to security holes.

-- Randal L. Schwartz, Perl hacker

Replies are listed 'Best First'.
Re (tilly) 1: Why should I use PHP after this?
by tilly (Archbishop) on Sep 04, 2000 at 18:33 UTC
    As opposed to Perl's suidperl mistake not long ago that created a nice portable local root exploit?

    Security mistakes are made by everyone. Unless (like wu-ftpd) they become a habit I like to give the benefit of the doubt.

    The non-existence of strict and the inability of PHP libraries to run cleanly under the highest level of warnings (which does not catch as much as Perl's) are rather better reasons to avoid PHP IMO. Plus the fact that the language won't grow with you...

      Plus the fact that the language won't grow with you...

      Not sure what you mean by this ... if you're talking about the extensibility of PHP vs. Perl via modules, PHP has made major strides along this road lately. Check out the articles on about PEAR (roughly, CPAN for PHP complete with javadoc-like functionality).

      "He's got about as much personality as a loaf of bread" -- Wally Pleasant, She's in love with a Geek

        I mean that PHP cannot fit as comfortably into as many roles and as many programming styles as Perl. It may be improving, but Perl is today where PHP wants to be and isn't.

        BTW for my stating it that way you can blame merlyn and his, Training wheels without the bike comment. :-)

Re: Why should I use PHP after this?
by t0mas (Priest) on Sep 04, 2000 at 18:39 UTC
    Maybe if you want to publish your /etc/passwd file on the web, then all the code is already written for you. :-}

    /brother t0mas
Re: Why should I use PHP after this?
by Anonymous Monk on Sep 04, 2000 at 19:40 UTC
    Ehm Randal, what about something like co-existence ?? or even better co-operation?? between perl and php?? Perl might be even more dangerous if used by novices :-) But why not to allow somebody to use PHP if it's more suitable to him?? By the way, do you have an idea for me how to give an object (or refence to that) from a perl-script to a php-script? (I'm thinking about using PHP for the frontend but would prefer to let DBI do the good work in background) (ok, there would be something like xml possible, but that's "around three corners") Have a nice day! Ralf Buescher (not a monk yet, but still learning, and forced by the employer to use PHP )
RE: Why should I use PHP after this?
by Ozymandias (Hermit) on Sep 04, 2000 at 23:47 UTC
    Complication leads to many more security holes than simplification. The more complex a system is, the more likely it is to contain a security problem. In fact, it probably has more holes and problems than are ever discovered.

    Any system, no matter how simple, CAN have security holes. It's the nature of the beast; when you have a system that anyone can use, there is the risk that one of those people will find a way to use it in unintended ways.

    In this case, an attempt at simplification appears to have led to a security problem. I say appears not because I doubt there's a problem but because I don't pretend to know exactly what mistake was made here. I still much prefer simplification to complication.

    - email Ozymandias
      Actually most security holes, counting by number reported, are buffer overflows and the like. Most of which are caused by people reinventing invented wheels. But that is neither here nor there.

      Here is the actual problem. PHP by default willfully violates the good programming practice of not using symbolic references. Perl not only does not violate it by default, it allows you to stop accidental use of it with strict.

      In fact with PHP in the default configuration, anyone who wants can, by sending you a form with specifically named variables, set global variables in your program. In this case any PHP script that allows someone to upload a file can be tricked into using a local file like your password file. If it displays that, emails that, or whatever, you have handed out critical information.

      This is a serious security hole, and I am sure that a careful analysis of standard PHP programs will show other global variables that can be tweaked with "interesting" results. If you want you can go looking yourself. You just need to find scripts that think specific globals have been set in some sort of preprocessing and dream up a form that sets those variables to whatever you want.

      Now is this hole simplification? Yes, and no. The good kind of simplification is to divide a problem up into simple pieces and solve each one cleanly. This is not an example of that. The bad kind of simplification is to do whatever you can to make it simple to do things, with no thought of the potential consequences. This is an example of the latter. Most of the API that Microsoft provides in Office could serve as additional examples, and the periodic Melissa-class viruses are a consequence. (I am still waiting for the email virus that can hit people who read it, even if they have ActiveX turned off, through the Access mistake. That is kiddie scriptable. The neat buffer overflow in Outlook upon trying to parse the date is fortunately well out of your average kiddie's reach.)

RE: Why should I use PHP after this?
by Malach (Scribe) on Sep 13, 2000 at 04:25 UTC

    You shouldn't.

    You should make an informed decision about what you prefer to use.

    You should make your reasons for this choice available.

    What, in my opinion, you should not do, is adopt a schoolyard "nyah nyah, mine is better than yours!" attitude, simply because someone screwed up, and a security hole resulted.

    I think perl can easily stand on its own many merits, without having one of its leading proponents kicking the opposition when its down.

RE: Why should I use PHP after this?
by wardk (Deacon) on Sep 07, 2000 at 00:36 UTC

    I think PHP is kinda cool, but it is real close to ASP or IBM's older/wiser Net.Data.

    Personally I really like having a program generate output, rather than mixing html and code together. I've seen some ASP code laced with html, vbscript and javascript, with some vbscript that generates more javascript.

    Not sure why there seems to be a PHP/Perl war brewing, hopefully it's just some good humored sniping...."your code smells of elderberries...."

    One thing is for sure, there aren't any ASP or PHP sites that I could locate that touch Perlmonks for obtaining real answers to real questions without scrounging through massive disorganization, and 'for sale' code.

    but if there's going to be sniping...make it entertaining! :-)

    postsubmitedit: uh-oh, seem to have referenced python, no intention of bringing it into the fray!

      HTML::Mason || Emb::Perl
RE: Why should I use PHP after this?
by BigJoe (Curate) on Sep 05, 2000 at 05:05 UTC
    I say use what you want to use be it Perl or PHP but if you are having troubles with PHP or any other don't come crying to the Monastery for guidance. PHP is like ASP it has a very small usage area. But these are my personal thaughts.


    Learn patience, you must.
    Young PerlMonk, craves Not these things.
    Use the source Luke.
      just b.t.w. ASP is nothing alike a programming language, but more an interface to enable you to hand the execution of embedded scripts to a parser you want, let it be perl or PHP or Java or even Basic :-))
      Thus the usage area for ASP is only delimited by your imagination
      All decision is left to your taste
RE: Why should I use PHP after this?
by Anonymous Monk on Sep 07, 2000 at 20:01 UTC
    because there's more than one way to do it? Gloating is so unseemly.