On 28 September 2013 11:27, Madara Uchiha <mad...@tchizik.com> wrote:
> You guys are missing the point. This isn't a language level issue. I > can imagine some sort of package or a library being made, some sort of > wrapper around the current session commands, perhaps integrated into > some sort of extension. > > But it is NOT a language level issue. This isn't a problem the > language needs to solve, ESPECIALLY since userland implementation is > so trivial. > I would disagree. PHP has very low security levels by default and some WTF security issues because of default settings. It should be the other way round: high security by default that you need to actively change if you want it lowered. The problem is that the majority of PHP developers for better or worse think they can copypaste solutions to problems and forget about things after that as long as the output on their screens look ok. For many developers, security is an afterthought if even that. And you are, quite simply, NOT GOING TO CHANGE THAT IN THE FORESEEABLE FUTURE. It's not a question of whether you're right or wrong in principle - it's a simple question of statistics. You will have close to zero impact on the PHP developers, no matter how many blog articles you write. It is too large and too diverse a group. So you're stuck with two choices: accept that PHP security is lax and that as a result a lot of code will have many attack vectors, or try to change the language itself for the better. The third option of "educate" is a mirage. Note: I'm not saying this feature would be an overall benefit for the security of PHP, but the reasoning behind it is right. Regards Peter -- <hype> WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15 </hype>
