Re: [hackers-il] Presentation about LAMP (= Linux, Apache, MySQL and Perl/PHP/Python)
- On Saturday 19 February 2005 04:44, Shlomi Loubaton wrote:
> On Fri, 18 Feb 2005 22:12:15 +0200, Shlomi Fish <shlomif@...> wrote:Corrected.
> > > PHP DOES have references, RTFM!
> > Possibly. I was told about the & operator (IIRC). In any case, if you
> > have a nested data structure, and you reference a sub-node and modify it,
> > will the original data structure be modified as well?
> php -r '$a[x][y][z]=10; $b=&$a[x][y]; $b[z]=5 ; echo $a[x][y][z];'
> The output of this line is '5'.
> (using PHP4)
> > I don't understand the sentence's context especially considering the factI see.
> > it has "only".
> There are some improvements regarding references in PHP5 but
> references are available in PHP4 as well.
>PHP code may be more readale than Perl, but also tends to be more wordy and
> > > PHP's code is very READABLE.
> > Possibly. I did not say it isn't.
> I find PHP code is much more readable than Perl code.
> Maybe you can add that to your presentation.
> > > "PHP, as a language, has several potential security issues, whichBut the ambivalence of the fopen function gives way to such misbehaviour. And
> > > causes sloppy code to become vulnerable more easily.
> > > "
> > > all these issues were fixed and dealt with. even in latest version 4.x
> > > releases.
> > > Post information is no longer "injected" by default. you simply use
> > > $_POST , $_GET or $_REQUEST.
> > PHP can still be configured to allow sloppy code to be written easily,
> > and often you need to configure it this way to run third-party modules.
> > For example, fopen() can be used to both read files on the file-system
> > and fetch URLs. Someone once gave me the following code for a proxy:
> > <<<
> > $file = fopen($_GET["myurl"]);
> > $contents = fread($file);
> > print $contents;
> > Now if you pass /etc/passwd as the myurl get parameter, you get it echoed
> > to the screen.
> If the programmer is stupid enough he'll allways find creative ways to
> write bad code (Do you want me to show you bad Perl code?). I usually
> use fopen only with local files, but if I wanted to fix your code, i
> could easily do this:
> if(file_exists($_GET["myurl"])) die('<h1>:P</h1>');
> I don't think you can say that the language made you write this bad code...
someone gave me the code I showed here. Such things make secure programming
in PHP more difficult.
> > > "PHP has many configuration options, which affect its run-timehttp://public.yahoo.com/~radwin/talks/yahoo-phpcon2002.htm
> > > behaviour. "
> > > and it's still faster than Perl for web.
> > I did not mean that they affect its run-time _performance_, I meant that
> > it affect its run-time _behaviour_. I.e: the scripts run differently with
> > different configuration options. For example, you can put CGI parameters
> > inside variables with their names or not. You can SQL-escape the CGI
> > parameters or not, etc. This writing scripts that are portable across all
> > configurations very hard.
> > As for speed - Yahoo benchmarked mod_php and mod_perl when they evaluated
> > a conversion to PHP, and they found out that mod_perl was faster than
> > mod_php. It's possible that they did not use a bytecode-caching
> > mechanism, but I can't tell.
> Do you have some links to the benchmark results?
> > > why all that FUD about PHP?First of all, please don't address me as "Shlomif, ". "Shlomi," is much
> > > try to "get the facts"(tm).
> > And you please try to write with the first letters of the sentence
> > capitalized.
> sure, sorry ;)
> Shlomif , if you don't have a clue about PHP then don't try to write about
> it. If you want, I can write few words about it for your presentation.
better. ("Shlomif" is reserved for third person). You can write something
about it and send me what you wrote and I'll see what parts of it I would
integrate into my presentation.
Other than that, next time you can try speaking while sounding less hot-headed
and more rational.
Shlomi Fish shlomif@...
Hacker sees bug. Hacker fixes bug.