Nathan's Lucubrations

28 08 2015

Fri, 28 Aug 2015

PHP: Still a Fractal of Bad Design

Many moons ago, I remember reading a very insightful screed against a language that should have been put to pasture long ago: PHP. I guffawed, shook my head and smiled smugly that at least I wasn't using PHP.

Until my webmail (written in PHP) got hacked into. PHP would be a nightmare we could all wake up from, if there wasn't so much software written in it.

And then today, I get an email, announcing that yet again, they've found more security holes in PHP. Not just one hole, but many; here's the list:

Welcome to PHP, where NUL terminating your strings will allow an attacker to overwrite files on your server, and attackers have no end of options for arbitrarily executing code!

It's like sendmail and bind - they've had their use, seen their heyday, but anyone with a lick of sense and competence in the field knows that they're so full of holes you don't use them without a team of at least 10 admins. Meanwhile, qmail and djbdns work just fine for multiple domains being run by one guy on absolutely minimal time (something like 1/8 of full time job).

Seriously, though, this is a call to arms, a call to war even: a war on PHP. Developers, stop writing PHP. Admins, remove PHP from your systems, dev seats and servers included. Hosting providers, stop supporting PHP and instead setup something better like Python or Perl instead. The line must be drawn here, no further. This has to end now. For the good of all humanity, please make it stop!

posted at: 00:03 | path: | permanent link to this entry

powered by blosxom