Hacker News new | ask | show | jobs
by sarciszewski 4226 days ago
> Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code

While I'm inclined to agree, this is a self-defeating premise. If you're "so good" of a programmer that you do not make security affecting mistakes (i.e. one of only a handful of PHP programmers I've met), then the probability of inserting "security issues" into your code is still zero, regardless of language.

> I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.

Good. :)
1 comments
wdewind 4226 days ago
I don't understand your reply. No one is good enough to write code without bugs.
link
sarciszewski 4226 days ago
> No one is good enough to write code without bugs.

This is congruent to saying, "Whitelists don't exist. Everyone implements poorly scoped black-lists."

link
wdewind 4226 days ago
I literally have no idea what you mean by this. Are you trying to imply there are people who write bug free code? If so please point me in their direction.

People make mistakes. Systems should be designed for this expectation. If mistakes are extremely costly it implies you should use certain tools and development methodologies, if not you can use others.

link
sarciszewski 4226 days ago
Code that is bug-free and code that is free of security-affecting bugs are not the same thing.

For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P

link
wdewind 4226 days ago
I feel like you're arguing against a strawman that I don't think secure applications can be written in PHP. I don't think that.

Edit: put another way: if you are starting from scratch and your main focus is security, why would you use PHP?

link
sarciszewski 4225 days ago
Familiarity. I know its quirks inside out and therefore know which mistakes not to do. If you point me to Python and say "build a secure web app," I'm going to need to spend a lot of time researching.
link