[Info-vax] OS implementation languages

Arne Vajhøj arne at vajhoej.dk
Mon Sep 11 19:03:22 EDT 2023 

On 9/11/2023 8:35 AM, Simon Clubley wrote:
> On 2023-09-09, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> PHP does not have many of the common general flaws like
>> buffer overflow and memory leak.
>>
>> PHP got all the features needing for secure web applications.
>>
>> Some old features that were questionable from a security
>> perspective has been removed. Classic example is register_globals
>> that been off by default since version 4.2 (21 years ago) and
>> was finally removed in version 5.4 (8 years ago).
>>
> 
> What about loose equality or continuing execution after something
> that should be an error ?

That may be a reliability problem but is rarely a security problem.

>> The most widely used frameworks has added features to make it
>> easy to avoid common web security problems. Example: Laravel
>> always check for token to prevent CSRF.
> 
> There is nothing about that which is PHP specific.

It is not PHP specific per se.

But languages with multiple widely used frameworks with such features
are a pretty exclusive club.

PHP, C#/VB.NET, Java, Scala, Groovy, Python, JS/TS are the languages
I can think of.

Fortran, Cobol, C, C++, Pascal, Ada, Rust etc. are too unsecure
for usage.

>> There is every reason to believe that a PHP web application
>> created by the average Ada/C++/Scala programmer would be very
>> secure.
>>
>> A PHP application created by the average PGP programmer
>> is likely to have big security problems though.
>>
> 
> And you don't see this as a problem with the language ? Because I do.

No.

Being so easy to learn that the unskilled can use it is not
a problem IMHO.

>> PHP has a big problem. It is an easy language to learn and
>> it is quite easy to get some PHP code working. Any idiot can
>> write PHP code that works - works in the good case that is.
>> So a lot of the idiots does write PHP code.
>>
>> And we see one disaster after the other.
>>
>> But that is not really PHP's problem. Unless we consider a
>> language being too easy to use as a flaw.
> 
> When you are writing critical code, there should be a minimum knowledge
> and capability/mindset barrier to entry.

Write a language where the compiler starts compilation by asking
some programming and/or math questions and aborts if wrong answers.

:-)

Arne

More information about the Info-vax mailing list