Re: Delphi has ruined me. Ruined, I tell you, ruined.


"Michael Stum" <devnull@xxxxxxx> wrote in message
news:448b7108@xxxxxxxxxxxxxxxxxxxxxxxxx
L505 schrieb:
IFRC, PHP *IS* case sensitive, at least on my Linux box, it is.
Actually it´s mixed. PHP variable names are case sensitive, but the
names of functions are case insensitive.

With no compiler, its the gateway drug to bad programming. I
think Microsoft got this one right with ASP.NET.

Try this in PHP, too:

$dummy1 = '20usd';
$dummy2 = 'usd55';
print $dummy1 + $dummy2;


The output on my web browser is:
20

Talk about inconsistency and danger in dynamic/weak typing.

I just imagined that, and my conclusion is: if you REALLY rely entirely
on the user input and properly double check it, even a perfect language
would not do the job here.

I know it's just an extreme example, so I just ignore the fact that such
horrible implementations indeed exist

Well I can say that it's hard to imagine, but plenty bad programs out there like
this do exist as I've been able to inject javascript into user input forms on
even big corporate websites, when they are only supposed to accept say
characters [a..z]... I guess I should start going around to websites and hacking
in to them and then contacting the website owner and asking if they want to hire
me as a security expert (where does destructive hacking become constructive?).

Really, I'm not a script kiddy - I've been analyzing this common unfiltered weak
type PHP habitual programming for constructive purposes. I'm developer of a web
library for Pascal and want to make sure it is done right - so analyzing all the
flaws of PHP actually is constructive in designing the web library for Pascal.

In both PHP and ASP programs I found plenty of cases where people do not check
their input..

But this does go beyond just compiler type checking. Compiler type checked apps
can also be poorly designed - but the point is I guess that using the is_numeric
function bloats the code up when at least some of the web program could have
just be checked at compile time - yet the dynamic/weak type language advocates
argue that weak/dynamic typing offers less code bloat since the code is simpler
and cleaner on paper - but not if you have to do more Unit Testing and add more
run time check code - that gets you back to adding more code bloat in the end
and reinventing strong typing/strong filtering.

Only the most unsafe and unfiltered PHP programs are clean and neat source - the
real strong PHP programs are strongly typed at run time, using run time code to
check input...Ironic.

Worst yet - you know those websites that say "Hacker Safe" on them? For fun,
I've found quite a few websites with the "Hacker Safe" logo on them which are
unfiltered and written like the above example I gave. Yes, I've found plenty of
"Hacker Safe" websites which are unfiltered and unsafe programs, with many
glitches like the above code snippet I gave... But don't worry, I'm not using it
for destructive purposes - again, I'm a web library designer and have been
scouting all this information out for constructive purposes :-)

Function that you can use in the mandatory check-function:
http://fr3.php.net/manual/en/function.is-numeric.php

In my opinion, the output should be 0 or "error, cannot add two strings". I
wouldn't want it to be 75, 20, or 55. That's lunacy.

I share your opinion on that - returning 20 in the above example is
really a big WTF.

Yes, maybe even "8" would make more sense if you are adding say for example
two 4 byte storages... 4 + 4 is 8. But I still think 0 or an error is more
reasonable. :-)





.

Relevant Pages

  • Re: [SOLVED] php5-mysql? (with added bonus for snort)
    ... make install of php5 and of mysql but no luck so far. ... Configured with: FreeBSD/i386 system compiler ... configure:2823: checking build system type ... configure:2974: checking for PHP includes ...
    (freebsd-questions)
  • Re: PHP compiler
    ... Anybody can develop a compiler that ... i did this with a lisp interpreter in my ... but using PHP in a compiler course. ... interpreted by the Zend engine, that is also a compiler tool to me. ...
    (alt.php)
  • Re: Compiled PHP Questions
    ... > eyes so that I can deploy custom web-applications on a customer's ... That is the problem with PHP. ... PHP was developed as an open-source ... compiler produces is identical to the one cached PHP code has. ...
    (alt.php)
  • Re: PHP compiler
    ... Anybody can develop a compiler that ... i did this with a lisp interpreter in my ... but using PHP in a compiler course. ... interpreted by the Zend engine, that is also a compiler tool to me. ...
    (comp.lang.php)
  • Re: [PHP] Detecting naughty sites
    ... >detect whether that site is a porn site via php? ... Such a trap would also catch websites discussing ... human sexuality, websites about safe sex, sites about scientific ...
    (php.general)