I mean, who uses mysql_real_escape_string when you have PDO and bindings ?
PHP isn’t perfect. As OP said, no language is, and any competent software engineer uses the parts of the language that work well for them, and just ignores the things that don’t work for them. I don’t believe for a second that the abuse the language has suffered over the years has anything to do with mysql_real_escape_string, it’s more to do with crappy code. You can write crappy code in any language, and it’s more a reflection of the programmer than the programming language IMHO.
Part of PHP’s problem is that it’s so easy to use. Any C programmer can pick up the basics pretty easily, hack together something that scratches an itch, and move on. Later someone will criticize the quick hack and say “you didn’t use mysql_real_escape_string so that code has a SQL vulnerability. Don’t use PHP”. In reality, there are mechanisms for preventing SQL injection and they just weren’t used. Is that a failing of the language ? Partly, perhaps, for providing the unsafe way of doing things, but a lot of blame also lies with the coder.
I’ll admit to a soft spot for PHP - I was putting database-driven websites on the web when that wasn’t much of a thing (back in 1981, if foggy memory recalls true). I wrote the asset management system that was used by Lucasfilm on Star Wars, by Manix on the Matrix, by various post-production houses in Soho, etc. etc. - all in PHP. We had video-streaming from remote locations before RealNetworks were mainstream. All because of PHP.
I also used PHP to write a content management system for the RiskWaters Group - around 100 magazines in the CMS, with forums, mailmerge, access-rights per page or per view-count or per time-period, with back-end admin pages, with macros the editors could use, etc. etc.
Used properly and judiciously, PHP is a powerful tool. It comes with a few areas that ought to be marked ‘here be dragons’, but frankly so do most languages.
These days, I mostly use PHP for shell-scripting (it comes installed as standard on my Mac), nothing so grandiose as the halcyon days of yore, but I still have PHP to thank for getting the job I’ve had for the last 15 years, in R&D at Apple (“these are the guys that Lucas was talking about”, said the VP who bought my small company).
I’ll finish with a line from a song “Baby, life’s what you make it, celebrate it”. That applies to PHP as well.
You're using the two super-fallacious arguments I refer to in my original reply:
1. You can write bad code in any language.
2. All languages have warts.
My response to #1: Here is a rock. Please use it, with some nails, to hang a bunch of pictures on your walls. Don't complain about your tool because it's entirely possible to use it successfully at this task. Or, less sarcastically, why use a tool that encourages bad results when you can use a tool that nudges you toward better results?
My response to #2: Would you rather have one wart, or 100 warts?
As I thought I'd alluded to in the above, when I was using PHP "in anger" as it were, there were 3 options for dynamic content:
1) Write a C program, and use the GCI-BIN interface. In developmental terms, this sucked dead bunnies through thin straws
2) Use some god-awful server-side script thing, updating static files with externally-invoked changes. Yes, people resorted to this.
3) Use PHP/FI. Life is now harmonious and (relatively) pain-free.
There was Cold Fusion, but it was Windows-only. The sane world, at the time, wouldn't serve websites on windows software unless there was a dedicated uptime team involved.
One of these was clearly the better solution. For things it didn't do, it was easy to extend (I wrote the PHP database support for Illustra, a now-defunct object-orientated database that we used)
These days I use it for shell-scripts, and I can bash out something that I need/want in much shorter time (basically because of the enormous standard library) than using any of the other options. My criterion here is "a text editor and 10 minutes"... There are some, very modern, languages that it takes 10 minutes to spin up the IDE and set up the damn project...
You're moving the goalposts. PHP was a great option in 1995. It is not today (except as a basic scripting language, where you and I agree completely. I would use PHP as soon as my bash script gets to about 100 lines).
Your post here is arguing about 1995 or whatever. The post I replied to was full of present-tense about "just use the good parts" and "all languages have issues", etc.
It was an accessible and good enough option, for multiple reasons.
The primary of which was the fact that it was built up for the web and was extremely cheap to host.
Not just moving the goalposts, but actually programming PHP 14 years before it first appeared in 1995, and putting database-driven websites on the web 8 years before it was invented in 1989.
His post here is arguing about 1981, actually.
>I’ll admit to a soft spot for PHP - I was putting database-driven websites on the web when that wasn’t much of a thing (back in 1981, if foggy memory recalls true). I wrote the asset management system that was used by Lucasfilm on Star Wars, by Manix on the Matrix, by various post-production houses in Soho, etc. etc. - all in PHP. We had video-streaming from remote locations before RealNetworks were mainstream. All because of PHP.
For what it's worth, I started using PHP at Oyster Partners (then Oyster Systems). We did the London Metal Exchange, Swiss Bank, Euromoney and all it's sister magazines. When I joined Oyster, it was 3 people and it ran off a dual-link ISDN line... These days the company has been subsumed into a much larger business worth several million, but Luke still runs that business.
I left Oyster after a couple of years (then 50-strong) to set up my own business in 1998 with an angel investor - the business that Apple eventually bought, and the wayback machine puts us on the web in 2001, which makes sense - we spent a couple of years writing the app before it went public.
> I mean, who uses mysql_real_escape_string when you have PDO and bindings ?
You've made my point. A person with tribal knowledge probably would NOT. Any new user coming from reading an older blog post or perhaps a PHP book would have no idea that that "older approach" is out of date.
Furthermore, the more precise point I was trying to make there was as a language designer, how on earth would you be okay implementing something like that? (Remove my example of `mysql_read_escape_string()` and insert any of the more WTF features of PHP.
Lastly, see my comment about being able to build meaningful, fast, cool things with PHP. I never want to tear down anyone's hard work. (Rasmus/Zeev/etc included).
Many of the PHP extensions are direct exposure to underlying libraries. MySQL introduced a 'real escape string' in their client library, PHP exposed that directly. Had they ignored it, or renamed it, or changed param order, people would have complained about that too, no?
> Any new user coming from reading an older blog post or perhaps a PHP book would have no idea that that "older approach" is out of date
You could mostly get that from going to the PHP doc site itself, which would indicate things that are deprecated. Or your IDE might tell you.
Or, for things that are really out of date, like mysql_real_escape_string, they simply ... aren't in the language any more, having been removed completely from PHP7 several years ago. If someone is starting brand new today using a blog post walking them through setting up PHP5... they'll have much bigger problems.
There's a shitload of 'tribal knowledge' around stuff in many languages - you find out a lot of that stuff via searching. If I read an 'older blog post' on Go from 2015, and complained that my Go didn't work very well (or was insecure, or whatever), how much blame should the language itself take?
> Many of the PHP extensions are direct exposure to underlying libraries. MySQL introduced a 'real escape string' in their client library, PHP exposed that directly. Had they ignored it, or renamed it, or changed param order, people would have complained about that too, no?
Don't most ecosystems use some type of namespace for that instead of exposing everything as global functions? Those practices were quite late to the PHP community.
Um, I'd criticize a C++ programmer who didn't know anything about the STL as well. Sure, you don't need to know the STL to write C++, but it's an odd decision. If you're going to use a tool, you have to learn it if you want the job done properly.
PHP is old and carries some cruft along with it for compatibility reasons (I suppose). When mysql_* was implemented, the world was a gentler place, and SQL injection wasn't really a thing (or at least, known to be a thing). What you're really complaining about there is "they didn't throw away the stuff that doesn't work well today". That's a decision I can see going either way.
[aside]
Having said that, the number of interviews I do where the candidate, poorly, attempts to write me code that implements what could have been done with std::vector is crushingly disappointing.
[/aside]
I agree that the population of programmers who knew about SQL injection was much smaller, but it was certainly widely understood by people who cared.
I believe that msql_* were implemented in PHP 3.0, in 1998. By comparison Perl's DBI was first released in 1994, with placeholders and an explanation of why they were important. Of course the idea wasn't original to DBI, the feature was based on an existing Oracle feature known as bind variables that I know was available and recommended with Oracle 7 in 1992. (I don't know if it was there before. It might have been.)
So there was certainly no attempt to figure out best practices on the part of PHP. And compared to the other injection attacks that proliferated in PHP in this time frame, the mysql functions were practically sane.
>but it was certainly widely understood by people who cared.
Rasmus Lerdorf and the early-to-mid PHP community simply didn't care. As you can see by the quotes I posted in another comment, Rasmus Lerdorf actually brags about how much he doesn't care. It's a textbook example of anti-intellectualism.
What the early-to-mid PHP community cared about, and was extremely successful at, was evangelism, and recruiting as many new inexperienced developers as possible.
That didn't mix well with all the foot-guns and design flaws they carelessly built into the language, and left in for far too many long years.
Along the axis of care, PHP is the opposite of Java. Compare PHP's complete lack of design with how carefully and conscientiously Java was designed (I may not agree with all of Java's design decisions, but at least they're all carefully researched, thought out, and debated to death first):
>"In the Java universe, pretty much everybody is really disciplined. It's kind of like mountain climbing. You don't dare get sloppy with your gear when you're mountain climbing, because it has a clear price." -James Gosling
1981? The title of the article is "25 Years of PHP", which checks out because PHP appeared in 1995, and this is 2020, and 2020-1995=25, but 1981 was 39 years ago. The ARPANET was using NCP with 8 bit host IDs in 1981, and nobody was listening for the HTTP protocol on port 80 back then, and homosocketuality was still prohibited.
>The act of trying to connect an even socket to another even socket, or an odd socket to another odd socket, was considered a "peculiar error" called "homosocketuality", which was strictly forbidden by internet protocols, and mandatory "heterosocketuality" was called the "Anita Bryant feature" [2].
I started trying to figure out when it was by when I was at college, how long I did the PhD for, how long I was in the first job, how long into the second job I started using it and I screwed up the maths along the way. It was in 1996, not 1981... No excuses, that's just bad.
You also said you wrote the asset management system that was used by Lucasfilm on Star Wars, which was released in 1977. Are you sure you don't mean one of the later J. J. Abrams films, and not the film whose title was actually "Star Wars"?
Mistakes about dates and context aside, I still can't believe you're actually trying to make excuses for mysql_real_escape_string. It has the word "real" in it. I mean, come on, who would ever name a function "real", and why?
That implies the existance of a not-so-real mysql escape string function. Why didn't they simply FIX the gaping security hole in the not-so-real mysql escape string function, instead of maintaining one that was real that you should use, and one that was not so real that you should definitely not use, in the name of backwards compatibility?
Or were there actually people out there using the non-real mysql escape string function, and they didn't want to ruffle their feathers by forcing those people with code that had a security hole so big you could fly a space shuttle through to fix their gaping security holes?
The name of the function "mysql_real_escape_string" says all you need to know about the culture and carelessness and lack of security consciousness of the not-so-recent PHP community.
And you shouldn't be making excuses for it, or blaming it on the wrong people for using it, instead of the right people for creating it then evangelizing it then not fixing it. It was a TERRIBLE mistake.
The crappy code was PHP itself, and the code was crappy because the culture was crappy. I'm not going to start linking to all the anti-intellectual Rasmus quotes, or to the bug report about the time he checked in huge security regression to the crypto code that would have been caught by the tests, and then CUT A RELEASE, but didn't bother running the tests first because they produced so many errors. But you can google that debacle yourself.
PHP has its issues (boy howdy), but sometimes those issues are being propagated from other places.
Also, I'm gonna (very gently) push back on "evangelizing it then not fixing it," at least with respect to this particular boy howdy issue. PHP may have been late to get on board with bindings and basic DB abstraction, but they've had PDO since 2004. There are a lot of things like this in PHP -- big problems with its original conception/implementation that have been tackled in later iterations of the language, but that people seemingly won't forgive either because they're offended the sins were committed in the first place or because PHP preserves the stupid ways to do things for years and years in the name of backward compatibility.
(I mean, I don't want to overstate anything here. PHP basically started out as a cargo cult version of Perl, and the PHP community collectively decided a few years ago that the proper thing to do to move the language forward was to turn it into a cargo cult version of Java which seems, well, debatable.)
It's not which verion of Star Wars you worked on in what year, it's that you're choosing to defend mysql_real_escape_string, and the culture that produced and maintained and evangelized it.
What you've so brilliantly and unwittingly illustrated here is that PEOPLE MAKE MISTAKES. And that contradicts your argument that attempts to shift the blame for PHP's footguns like mysql_real_escape_string onto "crappy coders" instead of the culture and designers of PHP itself. People love to use that argument the self-aggrandize themselves, claiming they're too smart to make those mistakes, and only crappy inexperienced coders do that, so it's not a problem.
But PHP has always been widely evangelized to inexperienced coders, foot-guns and all.
Yes it DOES make a difference if a language is full of foot-guns, and the culture and developers around it don't give a shit (and don't bother running tests before checking in buggy changes to crypto functions before making a release) because they think they're too hot-shot to aim the foot-guns they designed and loaded at their own feet, then go around evangelizing their language to inexperienced crappy programmers.
dramaticus3 on Aug 22, 2011 | parent | favorite | on: Do not upgrade to PHP 5.3.7 due to a bug in crypt(...
Get ready for some WTF-ery Crypt takes an optional salt. If that value is an MD5 hash it is prefixed with the chars $1$ to tell the underlying crypt(3) function to use Modular Crypt Format[1].
MCF is an ad-hoc cruft because the orginal crypt() is weak.
Anyway guess who did it :
"let's use strlcpy/strlcat instead for these static string copies" - Rasmus I guess that's Lerdorf himself
Whoever it was also didn't check the return values for error. Strlcat returns the length of the new string which might not be the same as strlen(dst) + strlen(src).
"I'm not a real programmer. I throw together things until it works then I move on." - Rasmus Lerdorf
Um, I'm not defending mysql_real_escape_string. I'm not sure how you got that from what I wrote. I was saying use PDO.
Anyway, I don't care enough about what you're going on about to spend the effort arguing with you - it seems like you just want to argue, so how about we say "you win" and move on.
I know you don't care, you've made that very clear. If you cared about truth or accuracy, you wouldn't have made an appeal to your own authority by bragging about impossibly using PHP and making database driven web sites for 39 years, or tried to excuse your moving the goalposts by claiming to "have a bad habit of not clicking on parent to see what the context of a post is".
"I don't care" is Rasmus Lerdorf's attitude about security, software quality, programming, computer science, and unit tests, which is my point. mysql_real_escape_string is just a symptom that you're brushing aside and ignoring of the real problem you're in denial of, but guilty of yourself, which is systemic CARELESSNESS.
"We have things like protected properties. We have abstract methods. We have all this stuff that your computer science teacher told you you should be using. I DON'T CARE about this crap at all." -Rasmus Lerdorf
"I'm not a real programmer. I throw together things until it works then I move on. The real programmers will say Yeah it works but you're leaking memory everywhere. Perhaps we should fix that. I'll just restart Apache every 10 requests." -Rasmus Lerdorf
"PHP is about as exciting as your toothbrush. You use it every day, it does the job, it is a simple tool, so what? Who would want to read about toothbrushes?" -Rasmus Lerdorf
"I actually hate programming, but I love solving problems." -Rasmus Lerdorf
"I don't know how to stop it, there was never any intent to write a programming language [...] I have absolutely no idea how to write a programming language, I just kept adding the next logical step on the way." -Rasmus Lerdorf
"When the world becomes standard, I will start caring about standards." -Rasmus Lerdorf
"I don't like programming. It's tedious." -Rasmus Lerdorf
What are you getting out of this? He worked on php and look how far it came, what have you done?
Your own website was written in php which you took down due to a security vulnerability in a framework... now is it php fault that someone wrote vulnerable code?
"Temporarily offline due to Drupal security vulnerability."
When did I blame php for Drupalgeddon? My web site says "Drupal security vulnerability", not "PHP security vulnerability", so I don't know where you're getting that from.
Back to the point: We're discussing mysql_real_escape_string. What's your excuse for it even existing in the first place, instead of simply fixing the security hole in the original mysql not-so-real escape string function?
Melania Trump's "I REALLY DON'T CARE DO U?" jacket sums up Rasmus Lerdorf's attitude towards security, software quality, programming, stardards, computer science, and unit tests. I just quoted his own words and bug reports that prove that point.
Do you like to leave loaded AK47s strewn around daycare centers, then blame the kids when they shoot each other? Is it ok if after the massacre you realized you made a mistake, and then scatter a few Nerf Guns around so the smart experienced kids who survived will have something safe to play with, but you still leave all the loaded AK47s?
I asked what you did. Then asked if drupals security was phps fault.
Are you seriously this butthurt about a function name, look up where the name came from originally. I also wonder what magical perfect language you use, dont tell me its php...
Not sure where you're going with the rest of this comment so I wont entertain that part. whew...
This is quite the thread and I'm having trouble following it, so maybe there's a reason why you're referencing such an old version, but you know PHP's currently on 7.4 right? Tons of progress over the last few years. If someone picks up a book that's 10 year's old or reads a blog post from 2010 and expects it to be 'current' then they have bigger issues. There are plenty of resources that cover modern PHP.
PHP isn’t perfect. As OP said, no language is, and any competent software engineer uses the parts of the language that work well for them, and just ignores the things that don’t work for them. I don’t believe for a second that the abuse the language has suffered over the years has anything to do with mysql_real_escape_string, it’s more to do with crappy code. You can write crappy code in any language, and it’s more a reflection of the programmer than the programming language IMHO.
Part of PHP’s problem is that it’s so easy to use. Any C programmer can pick up the basics pretty easily, hack together something that scratches an itch, and move on. Later someone will criticize the quick hack and say “you didn’t use mysql_real_escape_string so that code has a SQL vulnerability. Don’t use PHP”. In reality, there are mechanisms for preventing SQL injection and they just weren’t used. Is that a failing of the language ? Partly, perhaps, for providing the unsafe way of doing things, but a lot of blame also lies with the coder.
I’ll admit to a soft spot for PHP - I was putting database-driven websites on the web when that wasn’t much of a thing (back in 1981, if foggy memory recalls true). I wrote the asset management system that was used by Lucasfilm on Star Wars, by Manix on the Matrix, by various post-production houses in Soho, etc. etc. - all in PHP. We had video-streaming from remote locations before RealNetworks were mainstream. All because of PHP.
I also used PHP to write a content management system for the RiskWaters Group - around 100 magazines in the CMS, with forums, mailmerge, access-rights per page or per view-count or per time-period, with back-end admin pages, with macros the editors could use, etc. etc.
Used properly and judiciously, PHP is a powerful tool. It comes with a few areas that ought to be marked ‘here be dragons’, but frankly so do most languages.
These days, I mostly use PHP for shell-scripting (it comes installed as standard on my Mac), nothing so grandiose as the halcyon days of yore, but I still have PHP to thank for getting the job I’ve had for the last 15 years, in R&D at Apple (“these are the guys that Lucas was talking about”, said the VP who bought my small company).
I’ll finish with a line from a song “Baby, life’s what you make it, celebrate it”. That applies to PHP as well.