Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PHP.net Compromised

timothy posted about a year ago | from the stay-safe-out-there dept.

Security 189

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."

cancel ×

189 comments

Sorry! There are no comments related to the filter you selected.

Oh the irony (5, Funny)

Zachariah Day (2882443) | about a year ago | (#45227555)

Let me guess, they got in through a PHP vulnerability?

You Sound Like One Of Those (1, Funny)

Anonymous Coward | about a year ago | (#45227677)

You sound like one of those Java fundies. [dilbert.com]

STFU, Doucharonimous.

Re:You Sound Like One Of Those (4, Funny)

ArcadeMan (2766669) | about a year ago | (#45227783)

Here's a better URL [dilbert.com] without all the superfluous Web 2.0 crap around it.

Re:You Sound Like One Of Those (1)

trum4n (982031) | about a year ago | (#45228333)

Do you have a scruffy beard too?

Re:You Sound Like One Of Those (1)

OakDragon (885217) | about a year ago | (#45228421)

Well here's just the GIF [dilbert.com] !

Re:You Sound Like One Of Those (2)

ArcadeMan (2766669) | about a year ago | (#45229019)

I didn't even realize that they were still using GIF instead of PNG. This proves Dilbert.com is run by a PHB.

Optimized GIF: 29019 bytes.
Optimized PNG: 24356 bytes.

Re:You Sound Like One Of Those (4, Insightful)

narcc (412956) | about a year ago | (#45229151)

Well, the strip is from 1995. Did you expect them to convert the whole archive to PNG just to make a few nerds feel better?

Re:You Sound Like One Of Those (0)

Anonymous Coward | about a year ago | (#45229767)

Not "just to make a few nerds feel better", but batch-converting a bunch of images is entirely trivial if you have any desire at all to do so.

Re:You Sound Like One Of Those (1)

ArcadeMan (2766669) | about a year ago | (#45230453)

How about saving bandwidth? Even the latest ones are still in GIF. You may think 4-5KB isn't much, but how many people read Dilbert every day?

Re:Oh the irony (5, Funny)

ArcadeMan (2766669) | about a year ago | (#45227729)

It's Microsoft's fault. The URL for PHP is php.net, which means it's .NET and hence the reason for being compromised.

The malware was distributed via Javascript, which has Java in its name, which means it's also Oracle's fault.

Re:Oh the irony (1)

Anonymous Coward | about a year ago | (#45228869)

And it's open sores software, which means now all the visitors to the site have herpes!

Re:Oh the irony (1)

NettiWelho (1147351) | about a year ago | (#45230229)

On a more serious note, what systems were vulnerable and what was the payload?

Re:Oh the irony (1)

eexaa (1252378) | about a year ago | (#45227779)

Either that, or missing mysql_escape_string.

Re:Oh the irony (-1)

Anonymous Coward | about a year ago | (#45228221)

What kind of fail design escapes input? Input should NOT be passed with commands.

Re:Oh the irony (1)

CastrTroy (595695) | about a year ago | (#45228341)

It's it supposed to be mysql_real_escape_string? I can't remember since I've been using parameterized queries for so long.

Re:Oh the irony (-1)

Anonymous Coward | about a year ago | (#45227895)

Let me guess, they got in through a PHP vulnerability?

That was funny!

Re:Oh the irony (-1)

Anonymous Coward | about a year ago | (#45228685)

NO they got in through your moms hairy gorilla pussy.

Re:Oh the irony (-1)

Anonymous Coward | about a year ago | (#45229035)

NO they got in through your moms hairy gorilla pussy.

I would beat SO HARD on your mom's hairy gorilla pussy that every time your dad got on top of her, she could only think of me.

It was already a dangerous site to visit ... (5, Funny)

c0d3g33k (102699) | about a year ago | (#45227565)

... it introduced visitors to PHP.

Re:It was already a dangerous site to visit ... (-1, Troll)

girlintraining (1395911) | about a year ago | (#45227623)

... it introduced visitors to PHP.

Listen troll, PHP is used on a large number of websites, including most of the top 10. Facebook uses a special version of it. It is a solid language with a rich command set and very good performance. If you want to be a web programmer, you better know PHP.

If you wanna bash a technology commonly used by web developers, pick Flash.

Re:It was already a dangerous site to visit ... (-1)

Anonymous Coward | about a year ago | (#45227691)

Flash, Silverlight, .NET, Java. Any one of those will lock you down to a single vendor. Bullshit like mono doesn't count.

Re:It was already a dangerous site to visit ... (3, Insightful)

Sarten-X (1102295) | about a year ago | (#45227775)

As a mild Java fanboy, I feel compelled to mention that real Java isn't really locked in to a single vendor, as the reference implementation (OpenJDK) is open-source. However, the reference implementation lacks a lot of the features that aren't real Java, that Sun and Oracle have so kindly implemented in their own versions. A careful Java developer isn't locked in, but a careless one easily can be.

Re:It was already a dangerous site to visit ... (4, Interesting)

csnydermvpsoft (596111) | about a year ago | (#45228417)

It's not that hard to be careful - just avoid the com.sun.* and sun.* namespaces. Eclipse even filters those out (of autocomplete and Organize Imports) in the default configuration.

Re:It was already a dangerous site to visit ... (4, Insightful)

Anonymous Coward | about a year ago | (#45228159)

Silverlight and .Net are the same. Silverlight is simply a subset of .Net that runs in a browser plugin environment. Flash runs like that more commonly than not. Java came with a browser plugin from day 1. Silverlight was simply a catch-up attempt by Microsoft, back before HTML5 made those plugins irrelevant. Throw it in the too-little-too-late bag, but don't confuse it with a real framework.

Also, you're wildly misinformed about the extent of lock-in. Flash is single-vendor, but there are several knock-offs that claim at least partial compatibility. The rest of your examples aren't even close to locked-in. .Net is multi-vendor, as there are several non-Microsoft versions of it (Mono isn't the only one). Java has even more vendors, providing various JVM's and front-end languages that will compile to bytecode. Heck, one of the most widely used Java app servers is Tomcat, and that's made by Apache. It can be paired with any of the compliant JVM's with relative ease.

Meanwhile, the GP is getting all angry about someone insulting their language of choice. Lighten up. Nobody is going to take away your precious PHP. Hell, my career got its start as a "professional PHP developer". Even at the time, it was something I joked about, and this was a decade ago.

The fact is, PHP is ridiculously easy to use, even for a newbie developer. And because of that, there are a lot of newbies using PHP, making the mistakes that newbies inevitably make. This would be OK if they were still in school or developing a Personal HomePage (thanks, retconning!), but when they make this crap in the workforce, it crystallizes into production code and then we (all of us) have to maintain their steaming pile of newbieness forever. Mostly, I blame management for allowing this to happen. But its much easier to fight off newbies and their PHP by requiring more newbie-proof development technologies in the workplace.

I'm a programmer that does web, web service, desktop, command line, and mobile development for large scale data management and real-time reporting. I no longer use PHP because it is incapable of doing what the software I write does. It's simply the wrong tool for the job, including the web portions. If you want to introduce yourself to web programming, by all means, use PHP. And once you've learned it, know HTTP inside and out, know request/response interplay like the back of your hand, and can set headers, dynamically generate formatted and unformatted data, and in general, use the response body as your bitch, then you don't need PHP anymore and can (and should) move up to something more scalable.

And before you say "PHP is scalable because Facebook uses it", keep in mind, your what the parent post already noted (emphasis mine):

Facebook uses a special version of it.

Facebook's version is scalable and has good performance. Stock PHP is mediocre. And you can't afford Facebook's clustering and load-balancing setup.

Re:It was already a dangerous site to visit ... (2)

Bigbutt (65939) | about a year ago | (#45229625)

I appreciate your input. Still, no one has come up with what the next step after PHP is. Ruby? Perl? Python? It's not like there's someone out there going "ooh, good job on that PHP website and the work you're doing looks like you understand what you need. Now that you know that, you should start using JQuery to replace the hacked up Javascript and Forth to build websites. Here are a couple of good websites to get you transitioned from PHP to Forth."

It's cool and all to denigrate the folks who are trying but if all you hear is "PHP is crap and folks who program in it are illiterate newbies" without some suggestion as to where to go next, folks will simply ignore the ranting and move on (and continue using PHP).

As a sysadmin, I really liked the Rosetta Stone website so I could take my linux and Solaris skills and start working on AIX and HP-UX fairly quickly. Is there such a PHP -> Forth website?

[John]

Re:It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45227723)

I agree with you, but he is probably right!

Re: It was already a dangerous site to visit ... (-1)

Anonymous Coward | about a year ago | (#45227737)

Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.

Re: It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45228013)

Just look at this jewel from the official documentation:

Although implode() can, for historical reasons, accept its parameters in either order, explode() cannot. You must ensure that the delimiter argument comes before the string argument.

Or things like this:
https://bugs.php.net/bug.php?id=44794

Re: It was already a dangerous site to visit ... (3, Interesting)

dgatwood (11270) | about a year ago | (#45228393)

It makes sense. The implode function can readily detect the difference between a string and an array through simple type introspection, but the explode function cannot do the same with two strings. Indeed, I would argue that for any function, if the parameters must be of a specific type that can be readily distinguished from the type of other parameters, there's no reason for the parameter order to matter.

Then again, I would argue that the entire notion of programming languages in which the order of arguments is significant is arcane and archaic. IMO, an ideal programming language should require that each parameter be explicitly tagged so that the parameter order never matters, or at a minimum that the order is never implied merely by position. Perl can sort of do this with a hash, Python et al sort of do this with named parameters, etc.

Such a design pattern makes it relatively simple to add additional optional parameters, because the order ceases to matter. It means that you can insert those new parameters in an order that makes logical sense, rather than having to add them at the end of the parameter list with an explicit check to see if the parameter list is empty before shifting off the next item so that you don't break backwards compatibility with existing clients. And so on.

Unfortunately, most programming languages still force you to choose between strict compile-time type checking and mandatory tagging. If you take parameters in a varargs stype, you can force mandatory tagging, but you lose any compile-time checks. If you take parameters individually in the function, somebody can still pass parameters positionally, at which point you lose the readability advantages of being able to reorder the parameter names as you add new parameters.

I get the impression that Python 3 allows you to force explicit tagging by adding "*" as the first parameter. It would be great to see similar functionality in all other programming languages; it just makes a lot more sense than trying to extract meaning out of order.

Re: It was already a dangerous site to visit ... (4, Insightful)

AuMatar (183847) | about a year ago | (#45228889)

That is quite possibly the worst idea I've ever heard. So I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language), or a very complicated system for the compiler to implement. Then as a user I not only need to remember what the parameters are for every function, but what they were named? Which basically means it would need to be looked up every time, because I am not remembering all that. You're looking at an order of magnitude slowdown in writing code. Just a stupid idea.

Re: It was already a dangerous site to visit ... (1)

wonkey_monkey (2592601) | about a year ago | (#45229723)

or a very complicated system for the compiler to implement

What's so complicated about doing it at compile time? When a function's called, compare the caller tags to the function definition tags and re-order them to match - no?

Then as a user I not only need to remember what the parameters are for every function, but what they were named?

It doesn't have to replace the current way of doing things. AviSynth [avisynth.nl] allows parameters to be specified either in order or by name.

Re: It was already a dangerous site to visit ... (1)

brantondaveperson (1023687) | about a year ago | (#45230329)

Objective C pretty much does this. Functions calls look like:

[myColor changeColorToRed:5.0 green:2.0 blue:6.0];

Now I do appreciate here that the order isn't actually flexible, but I would argue that *is* a bad idea because it makes the code much harder to read. But what you do get is the named parameters part, which in my opinion is the more important part. This makes the code much easier to read.

Re: It was already a dangerous site to visit ... (1)

cheater512 (783349) | about a year ago | (#45229199)

implode(array('glue' => ',', 'peices' => $stuff));

Eww. Just eww man. So much more typing and room for error for no benefit whatsoever except you can swap the order around.

Re: It was already a dangerous site to visit ... (1)

dgatwood (11270) | about a year ago | (#45230011)

It's horrible only because PHP doesn't build such functionality cleanly into the language. The ideal syntax looks more like this:

implode(glue => ",", pieces => $stuff);

Or even this:

implode(glue=",", pieces=$stuff);

And you're very wrong about reordering being the only benefit. Named calling parameters also provide much-needed information about what the parameters actually do when you're looking at the function call itself, without which you must mentally cross-reference the original function declaration to know how those parameters are being used. Being explicit as part of the call syntax reduces cognitive load, particularly when you're doing maintenance programming of a large code base, particularly when a function takes more than a couple of parameters. You know the old adage: If a function takes more than three parameters, you are likely to forget at least one of them.

Also, assuming the syntax is properly built into the language (with full compile-time type checking and errors if you try to specify a parameter name that isn't part of the declaration), you get no additional opportunity for nontrivial errors (in the worst case, you just get parse errors that cause a failure as soon as you try to load the file), while removing a lot of potential for other types of errors.

Re: It was already a dangerous site to visit ... (1)

garyebickford (222422) | about a year ago | (#45228453)

Hmm. I recall a an analogous bit from the Perl documentation - I don't recall the specifics. And C has lots of WTFs, not least of which is the syntactic mistake of allowing 'if ( a = b )' to be valid, leading to thousands of hours of debugging time when programmers accidentally forget the second ==. We've all done it, many times. I recently found an example that had lain in wait for a couple of years, as that particular piece of code was only rarely executed, and most of the time the fact that 'a' was being set didn't matter. This bug-factory has now been propagated into several languages whose syntax is based on C. It could be prevented by simply requiring that operations that return a value inside an evaluation must be enclosed with braces: 'if ({a = b})' would evaluate, then proceed; 'if (a == b)' would compare then proceed; 'if (a = b)' would fail.

Bottom line, PHP is just another language with historical, and not-so-historical flaws. I personally dislike the unpredictable parameter order in string and array functions; I basically have to look them up every time I use one I haven't used for a while. APL had the cleanest parsing and cleanest operating model of any language I've used - A+B meant the 'right' thing (or at least something reasonable) regardless of whether A and B were scalars, strings or arrays of arbitrary dimension. Its WTF might well have been just the requirement for the special character set.

Re: It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45229071)

I prefer Pascal's way of distinguishing between equality and assignment. Equality is the "derp" way, with a single "=", just like every programming language that isn't based on C. Assignment requires special forethought and an extra keystroke or two, since it's ":=".

Making these two operators the same symbol just leads to developer confusion and a complicated context-sensitive parser. See also: any BASIC programmer that ever tried to learn C.

Meanwhile, making the "easy" operator the one that modifies memory values is just insane. Yes, it's The C Way, but it's also very failure prone, both for newbies and oldsters alike, just as you pointed out. It took you years to find and fix that bug in your software. That's just retarded and avoidable if the language would use better operators.

Honestly, my dream language is C#, with a better assignment operator (Pascal's := is kind of a pain, so maybe something else), with the ability to actually compile to a real binary (preferably for Linux).

Re: It was already a dangerous site to visit ... (4, Insightful)

Spudley (171066) | about a year ago | (#45228609)

Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.

Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.

Re: It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45229011)

Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.

Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.

* Assembler
* Perl
* Python
* Bash

Re: It was already a dangerous site to visit ... (1)

narcc (412956) | about a year ago | (#45229785)

He said WITHOUT major design flaws.

Re: It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45229177)

Lua. It's flawless for game scripting and it's widely used.

Re:It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45227755)

If you wanna bash a technology commonly used by web developers, pick Flash.

I will stick to bashing on ASP.NET in VB.

Re:It was already a dangerous site to visit ... (1)

Minwee (522556) | about a year ago | (#45227763)

I'd rather bash people with no sense of humour who feed trolls.

It's even easier than bashing PHP.

Re:It was already a dangerous site to visit ... (1, Informative)

Anonymous Coward | about a year ago | (#45227805)

PHP does not have very good performance. node.js has very good performance, so does .NET.

PHP uses massive amounts of memory and security is a problem on I'd guess 99% of all shared hosts due to the difficulty in running the process as different users without using up all the RAM on the server. I've been working with PHP since 2006. No more, it's days are over.

Add to that the still broken implementation of Unicode. Embarassing is the Word for PHP.

Re:It was already a dangerous site to visit ... (1)

guruevi (827432) | about a year ago | (#45227951)

Clueless sysadmins (and programmers) do indeed bring a bad rep to PHP but correctly implemented and managed, it can be a great asset. What alternative do you suggest? Node.js? Who runs that and .NET? Really?

Re:It was already a dangerous site to visit ... (2)

binarylarry (1338699) | about a year ago | (#45228163)

I'm pretty sure it's PHP that gives PHP a bad rep.

Re:It was already a dangerous site to visit ... (1)

TomGreenhaw (929233) | about a year ago | (#45228499)

Comparing .net to PHP is not a fair or accurate comparison, one is a scripting environment and the other is compiled. Comparing PHP to Classic ASP would be more accurate.

Re:It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45228773)

What alternative do you suggest? Node.js? Who runs that

You know all those people who actually made PHP a thing?

They do.

PHP is on its way out, thank the gods.

Re:It was already a dangerous site to visit ... (1)

narcc (412956) | about a year ago | (#45229815)

PHP is on its way out, thank the gods.

It doesn't appear that way. The data suggest the exact opposite.

Why? Probably due to the lack of a viable alternative. Well, that and the fact that PHP isn't the disaster incompetent Slashdot users seem to think it is.

Re:It was already a dangerous site to visit ... (1, Insightful)

MightyMartian (840721) | about a year ago | (#45228245)

What do I care about a scripting language's performance. The bulk of my work is basically using scripting languages as glue and display functions for RDBMS queries. The amount of cycles the interpreter/JIT/whatever has to consume is dwarfed by the cycles eaten up by the SQL database.

I don't get people. (0)

Anonymous Coward | about a year ago | (#45227969)

GP stated an opinion that isn't unwarranted. And get's modded down and called a Troll by the parent.

Parent states another and back it up with how many products use it - and the fact that Facebook has their own version; which somehow backs up her claim.

This taking personal offense when someone criticizes a programming language or platform seems so irrational.

My favorite language of all time is ANSI C - but I'm also the first to agree with most criticisms about it and I don't take offense. It's just a language. Give me an algorithm and I'll implement it in any language - it makes no difference to me - it's just syntax. Although is is kind of funny how C has been the inspiration for many of them - just sayín.

Editors - same thing - depending on a platform, I switch.

Platforms - same.

Linux distros - every few years I switch. I even go to a *BSD every once in a while.

I mean you can some of these people's mothers whores and they'll brush it off, but say something bad about PHP, Java,C++, JavaScript - well JavaScript is a whore language (kidding!), oh Heaven help you!

Re:I don't get people. (0)

Anonymous Coward | about a year ago | (#45228965)

it makes no difference to me - it's just syntax.

If you think the only difference between languages is "just" syntax then I don't think you really understand programming languages.

Re:I don't get people. (1)

Joining Yet Again (2992179) | about a year ago | (#45229257)

If you think the difference between imperative programming languages goes much beyond syntactic sugar then I don't think you really understand computer science.

You know a sophomore when they start whining about how childish Visual Basic is. If you can write something well, you can write it well in VB. You might prefer not to, but you should be able to do a fine job of it.

Re:It was already a dangerous site to visit ... (1)

c0d3g33k (102699) | about a year ago | (#45228055)

Hi, girlintraining.

I'm no troll. I was there (on the internet, not physically present) when Tim Berners-Lee announced the World Wide Web and I happened to notice while using Gopher. I downloaded and installed the first web browser and went to http://info.cern.ch/hypertext [info.cern.ch] to see what was up with this new thing. I advocated and used PHP when the acronym stood for Personal Home Page. Back when everyone was banging out custom CGI scripts in Perl, it looked pretty cool. And for awhile it was. I rolled out quite a few sites based on PHP at the time. I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.

I calmly stand by my snark, perched atop the mountain of experience.

Re:It was already a dangerous site to visit ... (0, Troll)

girlintraining (1395911) | about a year ago | (#45228315)

I'm no troll. I was there (on the internet, not physically present) when Tim Berners-Lee announced the World Wide Web and I happened to notice while using Gopher.

I was on the internet, er, before it was the internet. -_- That doesn't mean anything as far as statements made about today.

I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.

I calmly stand by my snark, perched atop the mountain of experience.

And I stand by my statements, that PHP would be one of my top picks for back-end design and dynamic pages. It is easy to read, has reasonably good performance, and reasonable security. But no language can stop people from shooting their own foot off if they're so determined, and your grevance seems to be not with the language itself, but with the fact that so many people shoot their own foot off while using it. The only problem I have with PHP is that the designers seem utterly incapable of understanding OOP concepts and the result is half-baked objects. But then, I say the same thing about Java.

Re:It was already a dangerous site to visit ... (3, Interesting)

c0d3g33k (102699) | about a year ago | (#45228645)

I was on the internet, er, before it was the internet. -_- That doesn't mean anything as far as statements made about today.

Agreed. But you came screaming out of the gates with a hard core ad-hominem attack (Troll!) in response to what amounts to little more than a joke. Touchy much?
That said, I was on the internet-before-it-was-the-internet back in 1980. Just out of curiosity, what's your magic date?

I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.

I calmly stand by my snark, perched atop the mountain of experience.

And I stand by my statements, that PHP would be one of my top picks for back-end design and dynamic pages. It is easy to read, has reasonably good performance, and reasonable security. But no language can stop people from shooting their own foot off if they're so determined, and your grevance seems to be not with the language itself, but with the fact that so many people shoot their own foot off while using it. The only problem I have with PHP is that the designers seem utterly incapable of understanding OOP concepts and the result is half-baked objects. But then, I say the same thing about Java.

You're reading a lot into my jokey original one-sentence post. Grievance (grevance)? I've used PHP. Found it wanting. Moved on. End of story. What's driving your zealous PHP advocacy?

Re:It was already a dangerous site to visit ... (1)

X0563511 (793323) | about a year ago | (#45228777)

What's driving your zealous PHP advocacy?

Ask a stupid question, get a stupid answer. [xkcd.com]

Note that you're being perceived as wrong, not that you actually are. I certainly don't have the experience to say which of you is right (or more right, as the case may be)

Re:It was already a dangerous site to visit ... (0, Troll)

girlintraining (1395911) | about a year ago | (#45229385)

You're reading a lot into my jokey original one-sentence post. Grievance (grevance)? I've used PHP. Found it wanting. Moved on. End of story. What's driving your zealous PHP advocacy?

I'm not. It's a popular language that is also used on many major web sites. This suggests to me that your various statements about it being "found wanting" are in error. Especially when you have failed to offer an alternative. You criticized something because it was less than perfect. The exact same argument can be made for everything. Ever. It's a logical fallacy, and you got upmodded for it, and my pointing it out got me mod-bombed.

Slashdot needs a "-1, Ironic" for some posts.

Make me a sandwich!!!!! (-1)

Anonymous Coward | about a year ago | (#45229601)

get in the kitchen and make me a sandwich

singed,
Cmdrtaco

Re:It was already a dangerous site to visit ... (1)

webnut77 (1326189) | about a year ago | (#45229389)

What's driving your zealous PHP advocacy?

PHP has lots of add-ons that make it very powerful like: PHPExcel for churning out a spreadsheet, TCPDF for creating a PDF, PHPMailer for sending an email, etc. I don't know if other languages have these but they are simple to use in PHP.

It is true you can write a crappy application with security holes like swiss cheese in PHP. But you can do that in any language. If you're going to write 'good' programs there are quite a few web principles like sanitizing input that you MUST learn.

On the other hand, I think one of the flaws of PHP is that it is often co-mingled with HTML. This makes it hard to debug. A better approach, I feel, is to turn PHP on in the first line and don't turn if off until the last line. If you want to send some HTML, use an echo statement. Learn to use loops (for, foreach, while, etc.), give variables meaningful names, and create functions for things you do over and over.

Re:It was already a dangerous site to visit ... (1)

geminidomino (614729) | about a year ago | (#45230337)

. A better approach, I feel, is to turn PHP on in the first line and don't turn if off until the last line. If you want to send some HTML, use an echo statement.

I feel like someone made Poe's law into a truck, and hit me with it.

Re:It was already a dangerous site to visit ... (1)

narcc (412956) | about a year ago | (#45229849)

I've used PHP. Found it wanting. Moved on.

Why did you find it inadequate? With what did you replace it?

Re:It was already a dangerous site to visit ... (1)

Mitchell314 (1576581) | about a year ago | (#45228187)

Calm down, it's just a joke.

Re:It was already a dangerous site to visit ... (0)

Anonymous Coward | about a year ago | (#45228395)

Lots of anti-vaccers believe they're correct also. It's quite funny and sad. If you like PHP, Brainf*ck is another great language to learn.

Re:It was already a dangerous site to visit ... (-1)

Anonymous Coward | about a year ago | (#45228483)

Ok, since you are an obnoxious, condescending troll for the most part, let's see how well you fit the demographic of a socially awkward dork that uses the internet to vent your anger:
  • Pagan
  • Anti-Microsoft
  • PHP advocate
  • Tor believer
  • Bitcoin denier

If we follow the statistical trail, you are also fat and ugly. Your username implies you have either shed you male identity for a female one, or simply believe you are not what most would call a functioning female. You have problems with anxiety and depression.

Did I miss anything?

Re:It was already a dangerous site to visit ... (1)

Anonymous Coward | about a year ago | (#45229067)

... it introduced visitors to PHP.

Listen troll, PHP is used on a large number of websites...

You're using BOTH ad hominem AND Bandwagon fallacies?! Care to go for a third?

Re:It was already a dangerous site to visit ... (2)

Megane (129182) | about a year ago | (#45227993)

Battle Scars (2)

Tablizer (95088) | about a year ago | (#45228139)

Almost every language in common use has some stupid ideas in it that make one want to slap the makers. (Although maybe Php deserves 2 slaps.) A lot of it is stretch marks from growth. Any successful language (usage-wise) that's been around a while will probably have battle scars. New languages don't have enough features, and mature languages have convoluted features due to growth and the maturing process.

Re:Battle Scars (0)

Anonymous Coward | about a year ago | (#45229813)

Almost every language in common use has some stupid ideas in it that make one want to slap the makers.

Yes, but PHP has stupid ideas in it that make one want to dunk the makers in molten lead.

Re:It was already a dangerous site to visit ... (2)

narcc (412956) | about a year ago | (#45229921)

Know what's sad? You don't know how awful that page really is. You actually think it contains something of value.

Here's a fun exercise. From that pile of garbage, make a list of points of fact, eliminating any point that is opinion.

Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.

Still think PHP is a "fractal of bad design"?

It looks like he got rid of the NaN != NaN nonsense point. (Why is that nonsense, you ask? See IEEE 754 -- I guess enough people pointed that bit of nonsense out to him. That and his old intransitivity argument and example seems to have vanished as well. Bet you didn't notice!)

All I can say is... (-1)

Anonymous Coward | about a year ago | (#45227567)

who??

Dogfood? (0)

Anonymous Coward | about a year ago | (#45227627)

Was it a PHP exploit?
Is there any other kind on the Web?

Exploit vulnerable systems? (1)

codeusirae (3036835) | about a year ago | (#45227681)

"The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website"

What Operating System do the clients need to run in order to be vulnerable?

Re:Exploit vulnerable systems? (0)

Anonymous Coward | about a year ago | (#45228931)

"The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website"
  What Operating System do the clients need to run in order to be vulnerable?

The first question is what BROWSER is vulnerable. There are exploits that will work on a particular browser/version across multiple OS's. IF there are no vulnerable browsers, then OS is not relevant as the exploit would never be able to reach the OS to start with.

I can predict the future (5, Insightful)

SmallFurryCreature (593017) | about a year ago | (#45227709)

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.

Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.

But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...

Oh wait.

I can predict the future, I am going to die a bitter and angry nerd.

Re:I can predict the future (2)

ArcadeMan (2766669) | about a year ago | (#45227823)

Security. If you do it right, everyone thinks you have wasted your time. If you do it wrong, it is all your fault. - SmallFurryCreature

Thanks for the new quote.

Re:I can predict the future (0)

Anonymous Coward | about a year ago | (#45227831)

Hmm...it sounds like you're only approximating security by doing all that waste of time stuff.

Stop whining, take it like a man and do what needs to be done for full security: pull the plug.

FTFY: I can predict the future (2)

neo-mkrey (948389) | about a year ago | (#45227983)

I can predict the future, I am going to die a bitter, lonely and angry nerd.

Re:I can predict the future (1)

freeze128 (544774) | about a year ago | (#45227997)

But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it... Oh wait. I can predict the future, I am going to die a bitter and angry nerd.

At least you will have lots of company in the afterlife.

Re:I can predict the future (0)

Anonymous Coward | about a year ago | (#45228049)

You're only paranoid about security until you're proven to be an incompetent fool.

Re:I can predict the future (0)

Anonymous Coward | about a year ago | (#45228229)

While it's true that most other languages have security problems, however PHP is a case for itself: http://use.perl.org/use.perl.org/_Aristotle/journal/33448.htm.

Re:I can predict the future (0)

Anonymous Coward | about a year ago | (#45228585)

At least it's not as bad as perl http://cubicspot.blogspot.com/2008/05/perl-is-terrible-language.html [blogspot.com]

Re:I can predict the future (-1)

Anonymous Coward | about a year ago | (#45229899)

You are utterly delusional if you think an ignorant rant is in any way comparable to direct evidence that the PHP developers are complete retards.

Re:I can predict the future (0)

Anonymous Coward | about a year ago | (#45228447)

I agree - we find it so easy to point out the splinter in another's eye, while ignoring the plank in our own.

Re:I can predict the future (0)

Anonymous Coward | about a year ago | (#45229863)

Meanwhile, PHP's eye contains an entire forest.

Re:I can predict the future (1)

styrotech (136124) | about a year ago | (#45229109)

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

Ruby? Don't you mean Rails? That wasn't a problem with the Ruby itself. Just like Wordpress bugs are not PHP bugs. I'm deliberately not including application bugs - the track record PHP apps have would make PHPs record look even worse.

And wasn't that massive Rails security hole (assuming you're talking about that autopopulation of variables from user input misfeature) the kind of misfeature that PHP pioneered and baked into its core language?

You can't really compare Java applet sandboxing problems either - PHP has no sandboxing of untrusted code or anything comparable at all (what a train wreck that would be). A better comparison is: how is Java's security record as a web server compared to PHPs?

PHP is relatively unique in the way they've had so many security problems that were badly designed language features rather than just implementation mistakes.

PHP has been objectively worse than practically every other language. Yet you still get people who just can't see the difference in scale/scope, and whine "but but other languages have had problems too!".

Re:I can predict the future (2)

narcc (412956) | about a year ago | (#45229935)

PHP has been objectively worse than practically every other language.

Objectively, you say?

Give it a go. How is it "objectively" worse than other popular languages?

This ought to be hilarious!

Re:I can predict the future (4, Informative)

dkleinsc (563838) | about a year ago | (#45229733)

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past.

You know, I'm going to have to disagree with you on this one.

I'm not saying that other languages are perfect, far from it. But the PHP world, by and large, is inhabited by people who don't really understand security. I've worked in it for a long time, and in every single application and library written in PHP that I encounter, I find results that show signs of knowing of, for instance, the existance of concepts called "SQL injection" and "XSS attack" but no understanding of what those things actually mean beyond taking some boilerplate kinda-solution in most but not all relevant locations.

By contrast, the libraries that Java and Python and Ruby provide, both out of the box and in third-party packages, tend to have been designed to make those kinds of attacks difficult to open yourself up to. The documentation for those packages emphasizes the security risks and concerns, the developer communities do everything they can to reduce those risks, and the result is that there are fewer minefields.

And that is why, in this paper [iseclab.org] , a whopping 80% of SQL injection and a disproportionately high number of XSS vulnerabilities are from projects that were written in PHP. It's possible to do the right thing in that language, but the evidence is fairly strong that developers focused primarily on PHP don't.

lazy editors (0)

Anonymous Coward | about a year ago | (#45227725)

> warning users who's browsers support it
Whose job is it to proof-read submissions around here?

Re:lazy editors (1)

Tablizer (95088) | about a year ago | (#45228181)

You didn't pay your proof-reading tax.

It's about time (2)

sl4shd0rk (755837) | about a year ago | (#45228007)

It's nice to finally have some company down here in the basement.
-Java Plugin

Re:It's about time (1)

slashmydots (2189826) | about a year ago | (#45228085)

What is this, 2007? They hit rock bottom and broke through. Java is in the 9th circle of hell at the moment.

ja ja (1)

Anonymous Coward | about a year ago | (#45228255)

Why is everyone assuming that it is PHP that was vulnerable?

There countless ways that an attacker could have modified the site that don't involve a vulnerability in PHP.

Re:ja ja (1)

X0563511 (793323) | about a year ago | (#45228855)

Because when an attack is successful it seems like 9/10 times they exploited a bug or configuration issue via PHP?

Perfect timing (0)

Anonymous Coward | about a year ago | (#45228283)

I was googling for "secure password hashing php" and when I clicked the php.net link I got the security warning.

Not fun.

With FreeBSD this hadn't happened! (-1)

Anonymous Coward | about a year ago | (#45228747)

I bet php.net uses Linsux. Bad luck!

So it wasn't hacked, and Google fucked up... (1)

pongo000 (97357) | about a year ago | (#45229289)

From php.net:

It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.

I'm idly curious if Google even bothers to offer an apology.

Re:So it wasn't hacked, and Google fucked up... (0)

Anonymous Coward | about a year ago | (#45229437)

you mean php.net should apologize to google?

google statement:
http://www.google.com/safebrowsing/diagnostic?site=http://php.net/manual/en/function.next.php&hl=en

the actual cached evil code that *WAS* served by php.net:
https://news.ycombinator.com/item?id=6604251

Re:So it wasn't hacked, and Google fucked up... (4, Informative)

Anonymous Coward | about a year ago | (#45229511)

I'm concerned about this initial response. It is definitely wrong, unless they INTENDED to link to malicious code. The article in the header has an actual PCAP of an actual successful infection, including the data from the injected iframe, the malicious SWF files, and the PE payload they fetched. There's no doubt about this. I can confirm the payload is live.

See also: https://news.ycombinator.com/item?id=6604251

I'm more than idly curious if we can reach PHP.net via some other medium than their site which we surmise has been compromised, or if this is some form of coerced or deliberate backdoor.

However, what I think has happened is that this is the product of an Apache module: it's only serving the bad code once to any IP, and the access logs of course won't show it. You cannot trust the logs produced by a potentially-rooted computer.

This appears to be targeted watering-hole attack. This is certainly not a mere false positive. And there seems to be an awful lot of people trying hard to dismiss it. That said, this payload doesn't quite match any exploit kit I recognise.

And then I think who is high-profile, has a botnet that looks rather like this one, has what you could describe as a PR department, and could coerce PHP or Google into lying... and well, a certain agency comes to mind. Has someone taken Genie over, or is it still under the same C&C? Have they, or it, gone rogue as part of Turbine? Are they actually launching? I don't know, because the C&C just went dead...

Re:So it wasn't hacked, and Google fucked up... (1)

landmine (3408679) | about a year ago | (#45230507)

You just couldn't quote one more line...

"...looked at it manually it looked fine. So more confusion.

We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers..."


So they are not denying that the file was changed, they just don't know how it was possible.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?