You also said you wrote the asset management system that was used by Lucasfilm on Star Wars, which was released in 1977. Are you sure you don't mean one of the later J. J. Abrams films, and not the film whose title was actually "Star Wars"?
Mistakes about dates and context aside, I still can't believe you're actually trying to make excuses for mysql_real_escape_string. It has the word "real" in it. I mean, come on, who would ever name a function "real", and why?
That implies the existance of a not-so-real mysql escape string function. Why didn't they simply FIX the gaping security hole in the not-so-real mysql escape string function, instead of maintaining one that was real that you should use, and one that was not so real that you should definitely not use, in the name of backwards compatibility?
Or were there actually people out there using the non-real mysql escape string function, and they didn't want to ruffle their feathers by forcing those people with code that had a security hole so big you could fly a space shuttle through to fix their gaping security holes?
The name of the function "mysql_real_escape_string" says all you need to know about the culture and carelessness and lack of security consciousness of the not-so-recent PHP community.
And you shouldn't be making excuses for it, or blaming it on the wrong people for using it, instead of the right people for creating it then evangelizing it then not fixing it. It was a TERRIBLE mistake.
The crappy code was PHP itself, and the code was crappy because the culture was crappy. I'm not going to start linking to all the anti-intellectual Rasmus quotes, or to the bug report about the time he checked in huge security regression to the crypto code that would have been caught by the tests, and then CUT A RELEASE, but didn't bother running the tests first because they produced so many errors. But you can google that debacle yourself.
PHP has its issues (boy howdy), but sometimes those issues are being propagated from other places.
Also, I'm gonna (very gently) push back on "evangelizing it then not fixing it," at least with respect to this particular boy howdy issue. PHP may have been late to get on board with bindings and basic DB abstraction, but they've had PDO since 2004. There are a lot of things like this in PHP -- big problems with its original conception/implementation that have been tackled in later iterations of the language, but that people seemingly won't forgive either because they're offended the sins were committed in the first place or because PHP preserves the stupid ways to do things for years and years in the name of backward compatibility.
(I mean, I don't want to overstate anything here. PHP basically started out as a cargo cult version of Perl, and the PHP community collectively decided a few years ago that the proper thing to do to move the language forward was to turn it into a cargo cult version of Java which seems, well, debatable.)
It's not which verion of Star Wars you worked on in what year, it's that you're choosing to defend mysql_real_escape_string, and the culture that produced and maintained and evangelized it.
What you've so brilliantly and unwittingly illustrated here is that PEOPLE MAKE MISTAKES. And that contradicts your argument that attempts to shift the blame for PHP's footguns like mysql_real_escape_string onto "crappy coders" instead of the culture and designers of PHP itself. People love to use that argument the self-aggrandize themselves, claiming they're too smart to make those mistakes, and only crappy inexperienced coders do that, so it's not a problem.
But PHP has always been widely evangelized to inexperienced coders, foot-guns and all.
Yes it DOES make a difference if a language is full of foot-guns, and the culture and developers around it don't give a shit (and don't bother running tests before checking in buggy changes to crypto functions before making a release) because they think they're too hot-shot to aim the foot-guns they designed and loaded at their own feet, then go around evangelizing their language to inexperienced crappy programmers.
dramaticus3 on Aug 22, 2011 | parent | favorite | on: Do not upgrade to PHP 5.3.7 due to a bug in crypt(...
Get ready for some WTF-ery Crypt takes an optional salt. If that value is an MD5 hash it is prefixed with the chars $1$ to tell the underlying crypt(3) function to use Modular Crypt Format[1].
MCF is an ad-hoc cruft because the orginal crypt() is weak.
Anyway guess who did it :
"let's use strlcpy/strlcat instead for these static string copies" - Rasmus I guess that's Lerdorf himself
Whoever it was also didn't check the return values for error. Strlcat returns the length of the new string which might not be the same as strlen(dst) + strlen(src).
"I'm not a real programmer. I throw together things until it works then I move on." - Rasmus Lerdorf
Um, I'm not defending mysql_real_escape_string. I'm not sure how you got that from what I wrote. I was saying use PDO.
Anyway, I don't care enough about what you're going on about to spend the effort arguing with you - it seems like you just want to argue, so how about we say "you win" and move on.
I know you don't care, you've made that very clear. If you cared about truth or accuracy, you wouldn't have made an appeal to your own authority by bragging about impossibly using PHP and making database driven web sites for 39 years, or tried to excuse your moving the goalposts by claiming to "have a bad habit of not clicking on parent to see what the context of a post is".
"I don't care" is Rasmus Lerdorf's attitude about security, software quality, programming, computer science, and unit tests, which is my point. mysql_real_escape_string is just a symptom that you're brushing aside and ignoring of the real problem you're in denial of, but guilty of yourself, which is systemic CARELESSNESS.
"We have things like protected properties. We have abstract methods. We have all this stuff that your computer science teacher told you you should be using. I DON'T CARE about this crap at all." -Rasmus Lerdorf
"I'm not a real programmer. I throw together things until it works then I move on. The real programmers will say Yeah it works but you're leaking memory everywhere. Perhaps we should fix that. I'll just restart Apache every 10 requests." -Rasmus Lerdorf
"PHP is about as exciting as your toothbrush. You use it every day, it does the job, it is a simple tool, so what? Who would want to read about toothbrushes?" -Rasmus Lerdorf
"I actually hate programming, but I love solving problems." -Rasmus Lerdorf
"I don't know how to stop it, there was never any intent to write a programming language [...] I have absolutely no idea how to write a programming language, I just kept adding the next logical step on the way." -Rasmus Lerdorf
"When the world becomes standard, I will start caring about standards." -Rasmus Lerdorf
"I don't like programming. It's tedious." -Rasmus Lerdorf
What are you getting out of this? He worked on php and look how far it came, what have you done?
Your own website was written in php which you took down due to a security vulnerability in a framework... now is it php fault that someone wrote vulnerable code?
"Temporarily offline due to Drupal security vulnerability."
When did I blame php for Drupalgeddon? My web site says "Drupal security vulnerability", not "PHP security vulnerability", so I don't know where you're getting that from.
Back to the point: We're discussing mysql_real_escape_string. What's your excuse for it even existing in the first place, instead of simply fixing the security hole in the original mysql not-so-real escape string function?
Melania Trump's "I REALLY DON'T CARE DO U?" jacket sums up Rasmus Lerdorf's attitude towards security, software quality, programming, stardards, computer science, and unit tests. I just quoted his own words and bug reports that prove that point.
Do you like to leave loaded AK47s strewn around daycare centers, then blame the kids when they shoot each other? Is it ok if after the massacre you realized you made a mistake, and then scatter a few Nerf Guns around so the smart experienced kids who survived will have something safe to play with, but you still leave all the loaded AK47s?
I asked what you did. Then asked if drupals security was phps fault.
Are you seriously this butthurt about a function name, look up where the name came from originally. I also wonder what magical perfect language you use, dont tell me its php...
Not sure where you're going with the rest of this comment so I wont entertain that part. whew...
This is quite the thread and I'm having trouble following it, so maybe there's a reason why you're referencing such an old version, but you know PHP's currently on 7.4 right? Tons of progress over the last few years. If someone picks up a book that's 10 year's old or reads a blog post from 2010 and expects it to be 'current' then they have bigger issues. There are plenty of resources that cover modern PHP.
Mistakes about dates and context aside, I still can't believe you're actually trying to make excuses for mysql_real_escape_string. It has the word "real" in it. I mean, come on, who would ever name a function "real", and why?
That implies the existance of a not-so-real mysql escape string function. Why didn't they simply FIX the gaping security hole in the not-so-real mysql escape string function, instead of maintaining one that was real that you should use, and one that was not so real that you should definitely not use, in the name of backwards compatibility?
Or were there actually people out there using the non-real mysql escape string function, and they didn't want to ruffle their feathers by forcing those people with code that had a security hole so big you could fly a space shuttle through to fix their gaping security holes?
The name of the function "mysql_real_escape_string" says all you need to know about the culture and carelessness and lack of security consciousness of the not-so-recent PHP community.
And you shouldn't be making excuses for it, or blaming it on the wrong people for using it, instead of the right people for creating it then evangelizing it then not fixing it. It was a TERRIBLE mistake.
The crappy code was PHP itself, and the code was crappy because the culture was crappy. I'm not going to start linking to all the anti-intellectual Rasmus quotes, or to the bug report about the time he checked in huge security regression to the crypto code that would have been caught by the tests, and then CUT A RELEASE, but didn't bother running the tests first because they produced so many errors. But you can google that debacle yourself.