The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Python Buzz Forum
The PHP Ghetto

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Ian Bicking

Posts: 900
Nickname: ianb
Registered: Apr, 2003

Ian Bicking is a freelance programmer
The PHP Ghetto Posted: Jul 19, 2005 12:40 AM
Reply to this message Reply

This post originated from an RSS feed registered with Python Buzz by Ian Bicking.
Original Post: The PHP Ghetto
Feed Title: Ian Bicking
Feed URL: http://www.ianbicking.org/feeds/atom.xml
Feed Description: Thoughts on Python and Programming. 		Latest Python Buzz Posts
Latest Python Buzz Posts by Ian Bicking
Latest Posts From Ian Bicking

Advertisement

Stephen Thorn posted a note about a PHPXMLRPC exploit. Whenever I see such things, I try to figure out what implementation would cause that. At first I was baffled, but then I realized that the XMLRPC parser created an array of arguments, then created the text of the function call somehow like "$method_name($param1, $param2, ...)" and used eval on it (instead of call_user_func_array). This is partially the fault of PHP, as the eval page doesn't give any warning about how dangerous the function is. It's the fault of the person who wrote PHPXMLRPC for being really dumb -- the code isn't just insecure, it's really buggy too. It's the fault of anyone who used the library for paying no attention to the code (or apparently ever testing the code with even slightly creative input).

Actually more info here -- the code in question seems confusing and indirect enough that I don't understand exactly why it does what it does, or how it would be fixed.

Someone could have written the exact same code in Python. Python has the same functions. And yet I almost never come upon code like this in Python. If anyone posted code like this in Python, someone would immediately bonk them on the head for their stupidity. Even if they wrote confusing code like in this case, people would know enough to see eval() and get a hunch something was wrong.

I think the Broken Windows theory applies here. PHP is such a load of crap, right down to the standard library, that it creates a culture where it's acceptable to write horrible code. The bugs and security holes are so common, it doesn't seem so important to keep everything in order and audited. Fixes get applied wholesale, with monstrosities like magic quotes. It's like a shoot-first-ask-questions-later policing policy -- sure some apps get messed up, but maybe you catch a few attacks in the process. It's what happened when the language designers gave up. Maybe with PHP 5 they are trying to clean up the neighborhood, but that doesn't change the fact when you program in PHP you are programming in a dump.

Read: The PHP Ghetto

Topic: MR1200 - like an SL1200, but for MP3s Previous Topic   Next Topic Topic: Reducing boilerplate code in __init__
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use