Loading ...
Sorry, an error occurred while loading the content.
 

Re: [hackers-il] Presentation about LAMP (= Linux, Apache, MySQL and Perl/PHP/Python)

Expand Messages
  • Shlomi Fish
    ... Corrected. ... I see. ... PHP code may be more readale than Perl, but also tends to be more wordy and less succint. ... But the ambivalence of the fopen
    Message 1 of 11 , Mar 26, 2005
      On Saturday 19 February 2005 04:44, Shlomi Loubaton wrote:
      > On Fri, 18 Feb 2005 22:12:15 +0200, Shlomi Fish <shlomif@...> wrote:
      > > > PHP DOES have references, RTFM!
      > >
      > > Possibly. I was told about the & operator (IIRC). In any case, if you
      > > have a nested data structure, and you reference a sub-node and modify it,
      > > will the original data structure be modified as well?
      >
      > Yes.
      >
      > php -r '$a[x][y][z]=10; $b=&$a[x][y]; $b[z]=5 ; echo $a[x][y][z];'
      > The output of this line is '5'.
      > (using PHP4)
      >

      Corrected.

      > > I don't understand the sentence's context especially considering the fact
      > > it has "only".
      >
      > There are some improvements regarding references in PHP5 but
      > references are available in PHP4 as well.

      I see.

      >
      > > > PHP's code is very READABLE.
      > >
      > > Possibly. I did not say it isn't.
      >
      > I find PHP code is much more readable than Perl code.
      > Maybe you can add that to your presentation.
      >

      PHP code may be more readale than Perl, but also tends to be more wordy and
      less succint.

      > > > "PHP, as a language, has several potential security issues, which
      > > > causes sloppy code to become vulnerable more easily.
      > > > "
      > > > all these issues were fixed and dealt with. even in latest version 4.x
      > > > releases.
      > > > Post information is no longer "injected" by default. you simply use
      > > > $_POST , $_GET or $_REQUEST.
      > >
      > > PHP can still be configured to allow sloppy code to be written easily,
      > > and often you need to configure it this way to run third-party modules.
      > > For example, fopen() can be used to both read files on the file-system
      > > and fetch URLs. Someone once gave me the following code for a proxy:
      > >
      > > <<<
      > > $file = fopen($_GET["myurl"]);
      > > $contents = fread($file);
      > > print $contents;
      > >
      > >
      > > Now if you pass /etc/passwd as the myurl get parameter, you get it echoed
      > > to the screen.
      >
      > If the programmer is stupid enough he'll allways find creative ways to
      > write bad code (Do you want me to show you bad Perl code?). I usually
      > use fopen only with local files, but if I wanted to fix your code, i
      > could easily do this:
      > if(file_exists($_GET["myurl"])) die('<h1>:P</h1>');
      >
      > I don't think you can say that the language made you write this bad code...
      >

      But the ambivalence of the fopen function gives way to such misbehaviour. And
      someone gave me the code I showed here. Such things make secure programming
      in PHP more difficult.

      > > > "PHP has many configuration options, which affect its run-time
      > > > behaviour. "
      > > > and it's still faster than Perl for web.
      > >
      > > I did not mean that they affect its run-time _performance_, I meant that
      > > it affect its run-time _behaviour_. I.e: the scripts run differently with
      > > different configuration options. For example, you can put CGI parameters
      > > inside variables with their names or not. You can SQL-escape the CGI
      > > parameters or not, etc. This writing scripts that are portable across all
      > > configurations very hard.
      > >
      > > As for speed - Yahoo benchmarked mod_php and mod_perl when they evaluated
      > > a conversion to PHP, and they found out that mod_perl was faster than
      > > mod_php. It's possible that they did not use a bytecode-caching
      > > mechanism, but I can't tell.
      >
      > Do you have some links to the benchmark results?
      >

      http://public.yahoo.com/~radwin/talks/yahoo-phpcon2002.htm

      > > > why all that FUD about PHP?
      > > > try to "get the facts"(tm).
      > >
      > > And you please try to write with the first letters of the sentence
      > > capitalized.
      >
      > sure, sorry ;)
      >
      >
      > Shlomif , if you don't have a clue about PHP then don't try to write about
      > it. If you want, I can write few words about it for your presentation.

      First of all, please don't address me as "Shlomif, ". "Shlomi," is much
      better. ("Shlomif" is reserved for third person). You can write something
      about it and send me what you wrote and I'll see what parts of it I would
      integrate into my presentation.

      Other than that, next time you can try speaking while sounding less hot-headed
      and more rational.

      Regards,

      Shlomi Fish

      ---------------------------------------------------------------------
      Shlomi Fish shlomif@...
      Homepage: http://www.shlomifish.org/

      Hacker sees bug. Hacker fixes bug.
    Your message has been successfully submitted and would be delivered to recipients shortly.