[PLUG] Preventing Probes Like This
Ron Chmara
ronabop at gmail.com
Mon Aug 25 21:59:26 UTC 2008
Tim wrote:
>> I suppose one can blame the tool *itself* for being used wrong, but it
>> seems to me like that might be placing the blame poorly.
>>
>> Of course, there are coding tools available which have lots of safety
>> checks built in [...]
>>
>
> I agree with your general premise that nerfing a tool to keep the kids
> from hurting themselves also hinders the adults from getting things
> done. However, I'm not talking about using nerfed tools....
> ...mandating prepared statements to send SQL
> queries keeps users from *typically* shooting themselves in the foot...
>
One person's "mandat[ed] prepared statement" is another person's
nerfing.... same thing goes for "nerfing" a language in such a way that
it requires casting to specific data types (or requires variables to be
initialized at all), or defaulting to a chroot (or similar) kind of
jail, or enforces any kind of separation between display and logic (etc.
etc.).
There are perfectly sane, and reasonable, arguments for doing such
things, but philosophically, PHP went more in the direction of "making
web programming easier for C developers", rather than "making dynamic
web page content easier for HTML developers". Put another way, PHP
generally *expected* a certain level of expertise, experience, and
diligence on the part of software authors.
As an argument/example of the philosophical question, and approach the
language took: "Should a server scripting language be able to simply
read local files, or include files remotely from another server, without
having to jump through a lot of hoops"? The default for PHP for a long
time was to make such things easy for a programmer.
Of course, the counter argument to making this easy is noted in this
very thread, as PHP was allowed to easily read /etc/passwd (it's a file
on the hard disk, why shouldn't PHP be able to read it?...), and yet,
there was an implied expectation that PHP "shouldn't be able to do
that". Therin lies the rub, whether or not a feature like that is a
desirable default behavior. ;)
-Bop
More information about the PLUG
mailing list