I worked at an outfit that hired some utter fuckwits who had been recommended by some more fuckwits for something and they did it in PHP and put it on budget shared hosting.
A week later: SQL injection, CSS, CSRF attacks and someone who had cracked the server was injecting malicious js in the page header.
That day was the day that management finally listened to my doomsaying about security...
Yeah I found this out the hard way back in 1997 writing ASP pages using SQL Server. I learned to sanitize my data inputs.
It all started with employees who had Irish names like O`Brian, they would cause database errors when trying to insert their name. I found out the data entry clerks didn't know the difference between the "`" apostrophe and "'" single quote character. So I wrote a SQL filter function to double up the single quotes if one is entered. As it turned out some employees where using the single quote for SQL Injection and it foiled their attempts and they filed support tickets for it. I could not replicate the error and then I asked how they were entering the data, and none of them wanted to tell me. So I made a logging code when their user ID is used to access the database and noticed they were trying to use the single quote to gain access to other tables and in some cases entering "1 or 1" and other stuff that just returned all the results in a table. I had to filter out SQL commands, system characters, and other things, even HTML statements because they would stick them in there to deface ASP pages and insert messages.
This was a law firm I worked for, and they had no clue their users were doing this, it was an Intranet site that was not accessible from the Internet. For stopping their 'cracking' of ASP pages, I gained a lot of enemies for that. Some would send denial of service attacks to my Windows PC, some would file fake complaints about me to get rid of me and replace me with someone who didn't sanitize inputs. Eventually I got too sick to work, and was fired for being mentally ill after all the stress I had caused me to develop schizoaffective disorder.
I wouldn't really let Rails slide here or call them an exemplar in the subject at hand. They were lazy and paid dearly for it.
A better example would be Django, most server-side Java frameworks, Ruby frameworks like Sinatra and Padrino, most Erlang code I've seen is solid, Haskell users generally know better, etc.
You mean neither of those ever had or will have security issues, because only stupid incompetent developers ever have those? That was pretty much the point of the parent comment.
Meanwhile on planet Earth every popular software package has had some issues. That's natural, security is hard and requires constant vigilance, and people are bound to err or oversee something from time to time.
I warned the local lottery about the security issues they had with their website (I was doing them some side work) but they didn't listen until someone defaced their website and the first thing they did was ask me if I did it.
Yes that usually is the case. You warn the administrators and managers about security issues and then when some script-kiddie runs a script and cracks the security and downloads the database, they blame you for it.
Sort of like this:
Programmer "Uh you really should use a numerical keypad to the server room, it is more secure than the doorknob lock which is so common anyone can find a key that fits it and rob the server room."
Management "Feh! Forget it, we don't have the budget for it. Besides that doorknob lock was on sale at Lowe's and fit out budget. The clerk there said it was lockpick proof, and that's good enough for us."
Later on someone picks the lock and then steals all the server hardware.
Manager "Someone broke into the server room. Hey programmer was it you, you seem to know a lot about locks and stuff?"
Programmer "No it wasn't me, if you followed my advice with the numerical key pad you wouldn't have had this problem. The lock you used made the server room insecure and allowed a robber to easily pick the lock and rob us all."
Manager "Yeah whatever, I'm pressing charges against you anyway."
I've worked for an asshole company that did that. We reached a stalemate after I managed to use my code ownership clause against them - basically "fuck off or I'll open source all your code".
I'll have to remember that should I find myself in another position to be hired or contracted by another asshole company to include a 'code ownership' clause and a 'right to open source the code" clause in case of any problems or difficulties.
That's a developer incompetence problem, not a PHP problem. If python or ruby was as trivially easy to get running (read: preinstalled everywhere), then they would be the lowest barrier to entry and have the exact same problems.
I would hardly call this 'the norm', may as well say the all C software inevitably segfaults and is thus unreliable since that happens at least once to everyone who's ever learnt the language. PHP newbies just have the unfortunate side effect of being a bit more exposed to the 'outside elements' while learning.
And if your prior employment recruited based on connections rather than competence that speaks to a management issue that couldn't possibly be solved by switching languages.
(this isn't really to single out your comment meaty, could be attached to anyone else in this thread)
Against your recommendation, because obviously you are so knowledgeable about security and all, right?Judging from your insightful "avoid PHP because it's for newbs"comment above...
You _do_ know that some of he largest sites on earth run on Wordpress, right?
And those sites became large because people could get them up and running quickly which is what made PHP a popular language. Hobbyist programmers made it what it is, and many of those hobbyist programmers went on to build big companies... Mark Zuckerberg, Matt Mullenweg, just to name a few.
