On 28 September 2013 12:25, Leigh <lei...@gmail.com> wrote: > > On Sep 28, 2013 10:39 AM, "Peter Lind" <peter.e.l...@gmail.com> wrote: > > > > So you're stuck with two choices: accept that PHP security is lax and > that as a result a lot of code will have many attack vectors, or try to > change the language itself for the better. The third option of "educate" is > a mirage. > > > > PHP provides you with all the tools you need to write secure apps. I could > go around writing mysql_query($_REQUEST["blah"]) but I don't. Why? Because > I have been educated. We don't have restrictions in the core that prevent > me from doing it, and we don't need them either. > Care to back that up with an argument?
> I agree with you, being secure by default is a worthy objective, but the > proposal here shouldn't even be on by default. (remember not everyone is > able to control their ini settings and whatnot) > Worthy objective? You just stated your opinion that you don't want default protection in the core language. Which is it? > Education is not a mirage. People picked up their insecure coding habits > from somewhere, and if its from laziness then I don't think they really > deserve protecting. If it was from a terrible blog article promoting > insecure practices then we need better articles. There's not much we can do > to remove the content that's already out there, but there's a lot we can do > with providing new, up to date and accurate content. > How many years have PHP been around? For how long have we been trying to educate people to avoid mysql_* functions? Has it worked? No. You can educate a fair amount of people but when you have the userbase of PHP it's downright stupid to think you'll get the majority on board. Also, saying that people deserve what they get because they're not educated developers, is being arrogant. -- <hype> WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15 </hype>
