Kenneth Gonsalves wrote:
On 03-Mar-07, at 4:20 PM, quasi wrote:
People come here expecting some "learned" advice, not empty rhetoric. So in case you do have a point/opinion putting some explanation around such statements to clarify the context might just help.
ok - here we go, learned advice: the vast majority of php users are non-programmers who come to the language from the direction of html. Since they are non-programmers, they have never formally learnt to program. They treat php as glorified html. Questions of good practices, security etc are not entered into. Result is crappy code. If you can call it code. The good thing about php, and what it is intended to do, is to encourage non-programmers to get things done. To this end, in so far as it brings people into the foss world and gives them a taste of doing things themselves, php is an excellent tool. But not for learning a language or learning programming or learning best practices.
Lots of assumptions here. What you touched here is hardly anything about php but more about the quality of programmers you have interaction with. You cannot blame a tool if you cannot handle it or use it for the purpose it was designed for.
I have been taught, in programming web applications:
- separate code from data
- separate code from presentation
in short: three layers:
- database
- business logic
- presentation
the database must distrust the business logic and the presentation layer. The business logic layer must distrust the presentation layer. Or to put it crudely, dont put html in your code, dont put code in your html, dont put sql in your html etc etc etc. If you use python or perl with a proper templating language, you cant do these things. So 90% of your security problems are solved. In php you can do this. You can embed sql queries in your html pages and do all sorts of things - so how can you learn good practices? I try to train the programmers i get - and the ones who come from php background drive me crazy.
dig this. I can do inaccurate pointer manipulation in C. I can exceed array boundaries in C. So C sux right, by you logic ? It is funny how "safe" stuff and crappy programmers somehow end up together. And dont talk about perl etc. - you can do astounding and horrible things in perl (in different ways than you have elaborated above) depending on who is doing it.
More than it is difficult to do stuff right, it is damn easy to do stuff wrong.
And i am no great hacker, just a part time enduser.
wow.
quasi