Monday, January 31. 2005
What I Really Think of PHPSEC
PHPSEC, the PHP Security Consortium, has been launched. Ever since Marco Tabini’s call to arms for the PHP community to rally around PHP for business, I have been thinking about how I can support the effort to bridge the gap between enterprise and the brilliant PHP coders I have met along the way. Having given it some thought, I have a lot to say about how to bring PHP to the conference table. Hopefully I can sketch out a little of my thinking in this post.
The strengths of PHP are numerous—and, indeed, one of PHP’s greatest strength is in numbers. I still remember the ISP I used to work for in college that switiched from FreeBSD to Linux. The move was inevitable, since Linux counts a small army in its development ranks, while FreeBSD ambles along. Likewise with PHP, it is popular because it is popular. And popularity means a wealth of features, resources, community support—the chance to tap in to a massive amount of collective cerebral voltage. High voltage. I went so far in one article as to liken PHP to the punk rock movement of the late 1970s. So you get the idea.
However, a low barrier to entry means a lot of entries. Many programmers these days learn PHP as their first language, missing out on the intricacies of functional programming and lambda calculus or, worse, on memory allocation and casting in strongly typed languages. All of this, however, can be shored up over the course of a few good classes in computer science. What is harder to teach—so much harder—is good coding practice.
I see security as a natural extension of this category. I stand up out of my chair and applaud any effort to improve the coding standards of PHP programmers, and particularly in the areas where businesses can be hit and hit hard—the areas where those mythical creatures lurk that strike fear and trembling into the heart of every CEO know to man: hackers.
There is another, more insidious, and potentially much more costly area to address, however. I have eaten my share of spaghetti code, tallied up the hours companies have lost due to lack of documentation, and know from the marrow out that good coding practice only begins with security. Maintainability and robustness are words equally high on my check list of “must haves” before I consider any application, and especially one written in PHP, to be enterprise-ready.
The language has never been to blame. Perl, in fact, gives you more rope than PHP. Yet the sheer popularity of PHP has brought in such massive participation that it has come to this: we need standards now not only for evaluating coders but code. Some apps are so shoddy when I peer under the hood that I would be better off writing it myself. Coding standards like Pear’s are only enforceable with packages uploaded to their website. The business world still desparately needs guidance on how to treat PHP and its coders when designing truly business-critical apps.
Enough of this for now. I will let the gears continue to turn in the background. This could be the subject of my next article for the good folks at IPM.
However, a low barrier to entry means a lot of entries. Many programmers these days learn PHP as their first language, missing out on the intricacies of functional programming and lambda calculus or, worse, on memory allocation and casting in strongly typed languages. All of this, however, can be shored up over the course of a few good classes in computer science. What is harder to teach—so much harder—is good coding practice.
I see security as a natural extension of this category. I stand up out of my chair and applaud any effort to improve the coding standards of PHP programmers, and particularly in the areas where businesses can be hit and hit hard—the areas where those mythical creatures lurk that strike fear and trembling into the heart of every CEO know to man: hackers.
There is another, more insidious, and potentially much more costly area to address, however. I have eaten my share of spaghetti code, tallied up the hours companies have lost due to lack of documentation, and know from the marrow out that good coding practice only begins with security. Maintainability and robustness are words equally high on my check list of “must haves” before I consider any application, and especially one written in PHP, to be enterprise-ready.
The language has never been to blame. Perl, in fact, gives you more rope than PHP. Yet the sheer popularity of PHP has brought in such massive participation that it has come to this: we need standards now not only for evaluating coders but code. Some apps are so shoddy when I peer under the hood that I would be better off writing it myself. Coding standards like Pear’s are only enforceable with packages uploaded to their website. The business world still desparately needs guidance on how to treat PHP and its coders when designing truly business-critical apps.
Enough of this for now. I will let the gears continue to turn in the background. This could be the subject of my next article for the good folks at IPM.
< Previous Entry | Next Entry >
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Excellent post, cyberscribe. I was particularily interested that you mentioned that some who’ve picked up PHP (among other scripting languages) as a first language may not be as well versed in some of the more rigorous coding practices. Of course, it has nothing to do with PHP itself (which I love), but rather the habits one can pick up by working with weakly typed languages. It’s a point I’ve often made in discussion as well. Really good blog entry.
Originally posted at: http://forums.dreamincode.net/showtopic10230.htm
Originally posted at: http://forums.dreamincode.net/showtopic10230.htm
I completely agree that PHP’s popularity has created a unique situation wherein people are learning computer science concepts from a language that has been designed for a single purpose — rapid web application development. Initiatives like the Zend Certification seek to address the need for some kind of check — when you say, "I code PHP" it could mean anything from arriving at PHP after a PhD in CS to picking it up last week by studying a few free scripts. What Zend Certification obviously can not do is teach four years of computer science (or even one) using a language like PHP that doesn’t have memory allocation or strong data types. It can, hopefully — and this is a big hope — steer people toward the good coding practices you learn alongside malloc and cast in a high quality computer science curicculum. I doubt very much, however, that Zend is really doing this.
php definitely needs good practice and such.
But how do you expect to see it coming from the community since the inner stuff is completely broken.
Take a look at the article about recursion on the zend website, the author didn’t really grasped what he was talking about.
Or notice the phpsc site where you have a race condition in the first published article.
And should we consider that the PHP5 parser has more than 800 conficlts and 5 unused terminal symbols, wich basically means it works by pure freaking magic?
I agree the language is not really to blame. Not now. But sadly lots of people started using php4 wich was to blame.
But how do you expect to see it coming from the community since the inner stuff is completely broken.
Take a look at the article about recursion on the zend website, the author didn’t really grasped what he was talking about.
Or notice the phpsc site where you have a race condition in the first published article.
And should we consider that the PHP5 parser has more than 800 conficlts and 5 unused terminal symbols, wich basically means it works by pure freaking magic?
I agree the language is not really to blame. Not now. But sadly lots of people started using php4 wich was to blame.
Well, verbat, I take what you’re saying with a grain of salt since I perused your blog and saw the motto: "everything sux." The truth is that negativism is *easy*, and especially with open source code it is easy to focus on imperfections.
The article on recursion, for example, brought to light that there is an issue with PHP’s ability to store function calls on the stack. It’s an issue, however, that won’t affect most web developers who want to walk through a few subdirectories. For traversing an entire local filesystem in PHP-GTK, sure, that’s a problem. But these issues must be taken in context.
Again, it is easy to not contribute — to throw out statistics about why PHP is broken and why dumb people are mean (or is it suckey people are mean)? But how many race conditions are there in ASP.Net? How many buffer overruns or underruns? Since the source code is locked up in Redomnd, we will never know.
There is a real need here for standards for the uninitiated. There is an opportunity for education. Elitism must go.
The article on recursion, for example, brought to light that there is an issue with PHP’s ability to store function calls on the stack. It’s an issue, however, that won’t affect most web developers who want to walk through a few subdirectories. For traversing an entire local filesystem in PHP-GTK, sure, that’s a problem. But these issues must be taken in context.
Again, it is easy to not contribute — to throw out statistics about why PHP is broken and why dumb people are mean (or is it suckey people are mean)? But how many race conditions are there in ASP.Net? How many buffer overruns or underruns? Since the source code is locked up in Redomnd, we will never know.
There is a real need here for standards for the uninitiated. There is an opportunity for education. Elitism must go.
nah, criticizing is not that easy.
If it were easy we’d see stuff getting better everyday.
Say, the recursion article got some good criticism, and was fixed. Hopefully now people know that you can crash php with recursion and that a tailcall does not relate to how you write a function.
OTOH, people noticed that the PHP parser is completely dumb for years, and it is still completely dumb (well, not rrally, it used to have 1000+ conflicts some time ago).
I’m not arguing with you that you don’t need an higher standard, I am saying that you have to start from the core not from an external entity.
There is no reason for php crashing on recursion, or for having a bison file wich can be enhanced by almost everyone who had a 2-months course on LALR grammars.
IMO, start fixing this is the best approach. But, hey, just my two cents.
If it were easy we’d see stuff getting better everyday.
Say, the recursion article got some good criticism, and was fixed. Hopefully now people know that you can crash php with recursion and that a tailcall does not relate to how you write a function.
OTOH, people noticed that the PHP parser is completely dumb for years, and it is still completely dumb (well, not rrally, it used to have 1000+ conflicts some time ago).
I’m not arguing with you that you don’t need an higher standard, I am saying that you have to start from the core not from an external entity.
There is no reason for php crashing on recursion, or for having a bison file wich can be enhanced by almost everyone who had a 2-months course on LALR grammars.
IMO, start fixing this is the best approach. But, hey, just my two cents.
Well, I agree that there is no reason for PHP to crash when making large recursion calls. That’s why it has been resolved in PHP 5. It will take time, but people will move to PHP 5 and a lot of behind-the-scenes implementation (like references) will get better.
Meanwhile, there are billions of lines of actual PHP code out there, and a lot of it could be likened to some form of pasta. So, while I think the focusing on the core is important, I think coding standards for the code written in PHP is far more important.
Meanwhile, there are billions of lines of actual PHP code out there, and a lot of it could be likened to some form of pasta. So, while I think the focusing on the core is important, I think coding standards for the code written in PHP is far more important.
Why do you need a CS degree to be a good developer ? I think the trend for some time is abstract the programmer from thinking about malloc . What I think happens is the lone programmer sydnrome rather than proper code reviews and mentoring etc.. Its a bit like someone coming over to visit , your place is always tidier isn’t it 
same with code reviews . The one thing that I think is against php is that it does make it easy to spaghetti code straight out of the can but I can say that about a lot of languages , look at people when they learn a OOL like Java and have one 1 class with a 500 line static void main !
same with code reviews . The one thing that I think is against php is that it does make it easy to spaghetti code straight out of the can but I can say that about a lot of languages , look at people when they learn a OOL like Java and have one 1 class with a 500 line static void main !Well, I wasn’t trying to say you need to have a CS degree to be a good developer. More that what often goes with a CS degree is an enforcement of good coding practice, like documenting your functions and keeping your code tidy.
One way to handle that in the real world is of course code review or pair programming (if you’re into Extreme Programming) — given that your reviewer/buddy also has an understanding of what is expected. Hence: the need for standards. Not just security standards — standards for writing code that will be maintainable and robust as well as secure.
Sure, PHP isn’t the only language where people crank out pasta. But it’s in the spotlight because it’s in the spotlight and for some reason web applications tend to fall victim to poor practices more than other applications. So, in many ways I would argue PHP is the most ripe for coding standards.
One way to handle that in the real world is of course code review or pair programming (if you’re into Extreme Programming) — given that your reviewer/buddy also has an understanding of what is expected. Hence: the need for standards. Not just security standards — standards for writing code that will be maintainable and robust as well as secure.
Sure, PHP isn’t the only language where people crank out pasta. But it’s in the spotlight because it’s in the spotlight and for some reason web applications tend to fall victim to poor practices more than other applications. So, in many ways I would argue PHP is the most ripe for coding standards.
