[Info-vax] OS implementation languages

[bill]

On 9/9/2023 12:14 PM, Arne Vajhøj wrote:
> On 9/9/2023 11:45 AM, bill wrote:
>> On 9/9/2023 11:19 AM, Arne Vajhøj wrote:
>>> On 9/8/2023 6:59 PM, bill wrote:
>>>> On 9/8/2023 2:05 PM, Simon Clubley wrote:
>>>>> Unfortunately, I _do_ have to use PHP sometimes.
>>>>>
>>>>> It didn't take me long to establish some solid rules, such as strict
>>>>> comparisons at _all_ times, and to use a monitor library I wrote that
>>>>> has the allowed error level turned all the way down so that things
>>>>> which PHP normally allows through generate an error instead.
>>>>
>>>> I had to support it at the University because we had a professor
>>>> who insisted on teaching it, using it and making his students use
>>>> it.  No matter how many time I showed him the security holes he
>>>> just insisted I was wrong and that it be available  and wide open.
>>>
>>> Maybe he had this crazy idea that programming code
>>> read input, does some processing and write output and that
>>> the main responsibility for correctness, security, performance
>>> and whatever belongs with the person writing the code.
>>>
>>> :-)
>>
>> Nice thought, but the particular problem I was fighting was
>> inherent to PHP and the programmer can only stop it by using
>> a better tool.
> 
> You are aware that PHP is Turing complete?
> 

Which means what in the concept of security?  It has nothing
to do with the syntax or even the function of the programs
written with it.  The problem resides in the PHP interpreter
and the programmer has no control over it.  If certain features
are turned on, PHP can be coerced to execute arbitrary commands
on the machine running the web server that is supporting PHP.

Unless someone actually fixed this.  I have been out of that game
for almost 10 years  now.  But I would still never trust PHP.

bill