undefined | Better HN

0 pointssteakejjs11y ago0 comments

What? I don't understand what you mean. PHP is not any more insecure than other languages. Some extremely secure sites run PHP....so security augmentations would not be obscurity.

An example would be built in CSRF protections through something like a form builder

0 comments

meowface11y ago

>PHP is not any more insecure than other languages.

This is debatable. It's not if you know to avoid many awful components of the language that are pushed in tutorials (like extract, or mysql_query, or register_globals, or loose comparisons).

jtreminio11y ago

register_globals was removed several years ago;

mysql_* functions all have a big red warning at the top of the docs pages warning users not to use it;

extract has a big red warning about using it on untrusted data.

PHP shouldn't hold developer's hands, but it does enough to warn them away from the Here There Be Dragons.

meowface11y ago

You're right about register_globals.

However, the others require users to actually read the documentation, which unfortunately many do not. A new user of PHP reading a tutorial does not necessarily know these functions are unsafe. They type the functions into their program and they still work, even on the latest versions of PHP. They don't see a visible deprecation warning on the page.

j / k navigate · click thread line to collapse

0 pointssteakejjs11y ago0 comments

What? I don't understand what you mean. PHP is not any more insecure than other languages. Some extremely secure sites run PHP....so security augmentations would not be obscurity.

An example would be built in CSRF protections through something like a form builder

0 comments

meowface11y ago

>PHP is not any more insecure than other languages.

This is debatable. It's not if you know to avoid many awful components of the language that are pushed in tutorials (like extract, or mysql_query, or register_globals, or loose comparisons).

jtreminio11y ago

register_globals was removed several years ago;

mysql_* functions all have a big red warning at the top of the docs pages warning users not to use it;

extract has a big red warning about using it on untrusted data.

PHP shouldn't hold developer's hands, but it does enough to warn them away from the Here There Be Dragons.

meowface11y ago

You're right about register_globals.

j / k navigate · click thread line to collapse