Hacker News new | past | comments | ask | show | jobs | submit login

> When PHP was first released it was dramatically better than the alternatives for it's intended purpose.

I think that's going to depend to some degree on how you define that purpose. If it centers around having a low barrier to entry, then that's partly true, but some of the ways it achieved that involved making code written in it vulnerable to variable poisoning and SQL injection by default.




Did Perl or C protect you against this when PHP came out?


CGI didn't have register_globals, so yes on that count. I'm sure the quality of database access libraries varied, which is still a better situation than having a broken escape function built in to the language.


For SQL: On CPAN, the oldest release in 1995 of DBI does seem to support bind params.

https://metacpan.org/source/TIMB/DBI-0.64/DBI.pm


Thank you!

I honestly didn't know (not paying attention to web programming back then) and was wondering if PHP's craziness was standard back then.


Yes. Perl has had taint mode since 1994, and for setuid scripts for longer.


Well register_globals was a kind of uniquely php thing, but that's been gone for ages at this point. I generally agree though that lots of the hate for php is a bit over the top.


Auto-escaping every GET/POST input at input time was quite something. Also arrays being pass by value is a lot of fun to this day:

$a = [1]; $b = $a; $b[] = 3; var_export($a);

And that you could pass by ref at call time to any function. That was also quite unique.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: