[LINK] The Ethics (!) of Dodgy Web Designers

Craig Sanders cas at taz.net.au
Tue Apr 17 18:46:56 AEST 2007


On Tue, Apr 17, 2007 at 01:08:33PM +0800, Adrian Chadd wrote:
> I've found myself giving a few talks here and there on basic website
> software security. Its all aimed at PHP and its all the basic
> stuff (include exploits, SQL injection exploits, global variable
> substitution exploits, etc.)  Almost all of the people that have
> attended my little sessions were pretty shocked - they didn't realise
> these things could be a problem.

that last sentence is precisely why i dont, generally, like PHP-based
apps.

not because there's anything wrong with the language, but because it's
promoted as "easy" prograaming for non-programmers. so, of course, you
get lots of non-programmers writing stuff in it and they dont have the
knowledge or experience or just plain suspicion and paranoia required to
develop robust applications for a hostile environment like the web.

Cold Fusion has the same problem, only more so because it's favoured
by windows-using non-programmers, so they miss out on even the basic
knowledge that unix users pick up just by using unix.

ditto for other so-called "easy" programming languages. almost any
programming language is easy to learn - but that doesnt eliminate the
need for understanding the problem domain (e.g. to write a general
ledger program you actually need a reasonable understanding of
accounting, or at least access to someone who dose) or understanding of
basic programming principles (variables, data structures, control loops,
etc etc etc), and an understanding of the environment in which your app
is going to be deployed (stand-alone app, web app, or whatever).

on top of all that, you also need to know the history and tips and
tricks and traps of all the above so that you don't make the basic
mistakes that were solved years or decades before.

in other words, claims about easy programming for non-programmers
are actually a lie. learning the syntax of a language is trivial and
insignificant compared to all the rest of it.


it's not impossible to write a decent, secure app in PHP. it's just
uncommon to find one for download.




craig

ps: i tend to avoid mysql-based stuff too, for the same reason. it's
often chosen by non-programmers for the same reason they chose php or
CF or whatever - bogus claims of "easiness". anyone who understands
databases well enough is likely to choose a better db engine like
postgres or oracle. recent improvements to mysql make it emulate a real
database server better than before, but IMO you're still better off
using a real db in the first place. mysql is no longer just a glorified
filesystem with an sql interface, but it's not yet a real database
server either.


-- 
craig sanders <cas at taz.net.au>

"Men rarely (if ever) manage to dream up a god superior to themselves.
 Most gods have the manners and morals of a spoiled child."
       [Robert Heinlein, "Notebooks of Lazarus Long", quoted in
        Peter McWilliams, Ain't Nobody's Business If You Do, p. 375]



More information about the Link mailing list