[imanaccount247]

PHP is full of problems that lead directly to security vulnerabilities if you aren't constantly aware of them and very careful when writing your code. So when someone who doesn't know those problems (most people) "hacks together" something that "just works", it is almost always providing a backdoor into that server. Once you do learn a little, you find that every scripting language is just as easy to work with as PHP (if not easier) and much safer. So why use PHP over perl or python or ruby or even javascript? They just aren't compiling into apache for no reason.

[zapt02]

Does Perl, Python or Ruby have built-in automatic escaping and sanitization? I would not call PHP less safe than any of these languages.

On top of that all three of those languages require additional setup. (Especially Ruby with RoR shudder)

[d23]

Generally speaking, tutorials in those languages recommend using the paramatized versions of the queries rather than string concatenation and manual escaping. The official docs from these more well-designed languages would have copious warnings against attempting to escape user input yourself, rather than having numerous functions baked into the language to help you do just that (e.g. `mysql_escape_string`, `mysql_real_escape_string`).

[zapt02]

The official docs will tell you how to properly handle queries, including prepares: http://php.net/manual/en/pdo.prepared-statements.php

Additionally, the mysql_ extension is deprecated since PHP 5.5: http://php.net/manual/en/migration55.deprecated.php

The official docs on the old mysql_ extension has large warnings advising people not to use it: http://php.net/manual/en/function.mysql-connect.php

Reading a 10 year old tutorial on W3schools isn't the best place to learn current PHP, and it's not the fault of the language. PHP has moved on, if only the haters would too.

[d23]

So your argument is that the dangerous extension is deprecated as of a year and a half ago? Given that PHP has been around for nearly 20 years, it seems like your evidence supports my argument more than yours.

> PHP has moved on, if only the haters would too.

Unfortunately it's not that easy. A lot of those tutorials are still being read by newcomers, and a lot of the web is filled with vulnerabilities as a direct result of official documentation recommending insecure ways of interacting with the database.

PHP may be "in recovery," but that doesn't necessarily mean the bad taste will magically leave everyones' collective mouths. The damage has been done.

[zapt02]

The mysql extension is not dangerous in any way, don't spread FUD. The reason for not deprecating it sooner is that very large projects depend on it. These projects may have been ten years in the makings and aren't in any way unsafe because of the mysql extension. Software like WordPress and Drupal still use and support the mysql adapter and run on a huge percentage of the web today.

I agree a lot of people read insecure tutorials, but it allows even beginners to write fairly advanced web sites. If the choice is between easy and available and difficult and hard to use, I'd rather have the first option available. On the web, ideas, timing and execution is important, not how amazing your code looks on the backend. A lot of great software may not have been created had it not been for how easy PHP is to get started with. As a community we are trying to educate people to code properly. It's an ongoing process.

[Retra]

"People will forget what you said, people will forget what you did, but people will never forget how you made them feel."

-- Maya Angelou

If PHP had moved on, it wouldn't want to be PHP anymore. Those haters have moved on: they did so when they decided to not program in PHP anymore.

[karavelov]

Actually yes - perl has a tainted mode (#!/usr/bin/perl -t) that force you to sanitize every input from the outside world. It does not do the work for you because it is agnostic to semantics (escaping for shell is different than escaping for SQL for example) but at least make you think about the problem.

[zapt02]

So what you are saying, is that it's not actually widely used, or even useful in the scope of a web site? In that case, it don't see how it changes my original point.

[karavelov]

It is widely used especially in the context of web sites backends

[imanaccount247]

>Does Perl, Python or Ruby have built-in automatic escaping and sanitization?

No, of course not. That's very much the point. PHP's broken attempt at that created security holes.

>On top of that all three of those languages require additional setup

No they don't. It is just that someone else has already done the setup for you with PHP at most cheapo hosting companies. Installing python is no harder than installing PHP.

>(Especially Ruby with RoR shudder)

You are comparing a framework to a language. Rails is no harder to setup than any of the PHP frameworks like zend or symfony.

[zapt02]

Providing sanitization functions 10 years ago is broken to you? If you check my earlier post you'll see that prepared statements are widely used nowadays. Escaping functions like htmlentities() are also still effective.

You are right, there are a bunch of hosting company providing 0-config PHP, but setting it up in any distro is also never more than one command away, unlike the other languages mentioned.

Regarding Ruby and RoR, I can't even find a tutorial on how to run Ruby under FastCGI, and RoR appears to be the de facto way to run Ruby websites, so if having a framework is required to run any non-trivial Ruby website, then it has to go into the "hard to configure" part of the argument regardless of semantics.

[imanaccount247]

>but setting it up in any distro is also never more than one command away, unlike the other languages mentioned.

No, exactly like the other languages mentioned. If you are seriously going to try to pretend installing python or ruby or perl is harder than installing PHP then you can't expect anyone to react as if you are being serious and genuine.

>I can't even find a tutorial on how to run Ruby under FastCGI

That sounds like a serious problem. I would suggest looking for a local "introduction to computers" type class. They tend to teach basic usage of windows and the web, including how to use google to search for things. I think it would help you a lot.

>and RoR appears to be the de facto way to run Ruby websites

While I'm sure the rails guys must be flattered, I don't know how you got that appearance. There's a whole bunch of frameworks, just like with PHP. And you don't need to use any of them, just like with PHP. But of course, you know all this and are just trolling.

[zapt02]

Since you are resorting to ad hominem attacks without tackling the actual points, I am not going to dignify your post with an answer.