Lately people have been blaming PHP for being insecure. While most of them seem to blame little tiny issues that, when used incorrectly by the programmer, make their scripts insecure. Does that make sense? The programmer uses it insecurely, but the problem is in the language. Absurd. Guess what, you can do that with any language. You can make your house insecure too by failing to fasten the door locks. But more to the point, after examining some of the Blog and CMS software for PHP I’ve come to this conclusion – if that kind of programming is general across the board for these packages then we have a bigger problem.
Blame the Messenger
The first thing we need to know is that we are not all knowing.
Often times we get people learning programming from PHP because it is so easy. That’s what I did back in the days of PHP 2. PERL was just a little too hard for me, and in 1995 I had a real hard time scouring information on the web to figure out what CGI was. But I went from getting my feet wet in PHP to learning C to going to college, then going into full-time work. I was lucky.
When I think back to my early days of PHP I can see how we can be dangerous. We typically focus on getting something done, not really how to do it or the best way or even the most secure way. I was so proud when I built the unthinkable using PHP the first time.
The problem when we are that young in a skill is that we think, “OK, I’ve learned this skill, let’s move on.” What we are forgetting is that we know a language but we don’t know how to use it. We’ve figured out where to put the pieces to form sentences – that is, how to write code to not get errors. The problem is, we still don’t know how to have a conversation.
What I’m getting at here is that sometimes we forget that we need to consider why we write code. We need to understand security. We need to know how the web works. We need to know how a browser renders HTML or CSS or XML or whatever you are working with. We need to know the consequences of using a database system, the overhead caused by connects. We need to know how to bug track, profile and optimize for best efficiency. There is much more work to do once you your code “just works.”
Extending the Problem
That is what happens when we are young. Then we explore, then we work, then we forget. That’s me
As we move along and take on big projects we need to keep on moving upward. From what I’ve experienced, it is common for people to get interested in one area and focus on that. We know programmers who don’t know a thing about hardware. They don’t know what a stack or register is even. On the other side, we have the hardware pros who think they can program because they know the basics of a language. They don’t know what a stack or register is even
CMS and Blogs
How does this apply to Blog software? I really don’t know. I can’t tell what those individuals and development teams were thinking when they spec’ed out their project. IF they did that. I don’t know what they were thinking when they decided to put PURE PHP code inside template files made for HTML coders, graphics designers and common citizens. Seeing “DON’T EDIT THIS CODE” inside a template file is not acceptable in a project. I especially don’t know what they were thinking when they decided to make “index.php” a 10,000 line piece of code that did everything except the admin.
Obviously there are several CMS and Blog packages for PHP out there that are less than ideal. Some are very big and popular. I’ve seen absolutely useless database connects and queries inside a page that slow it down to a crawl. Major packages with 15+ queries on a blank template page that only returns navigation. You don’t want to install this kind of stuff on a shared host, and if you even get the kind of traffic your blog deserves you’ll be looking for a new package at a really inopportune time….and then figuring out how to migrate your data.
I’m hoping soon we see the end of this kind of thing. The trouble is that PHP is such an easy thing to learn that we won’t. What we need is a crop of fantastic programmers to step up and build something we can be proud of. I have a feeling that won’t happen though. Most of those programmers are employed customizing the blog software that already exists out there for people who found the limitations