Comments on: Safe Strings in PHP (2) http://blog.markus-breitenbach.com/2007/07/01/safe-strings-in-php-2/ AI, Data Mining, Machine Learning and other things Wed, 23 Jul 2008 23:39:34 +0000 http://wordpress.org/?v=2.2.1 By: David Spector http://blog.markus-breitenbach.com/2007/07/01/safe-strings-in-php-2/#comment-6660 David Spector Mon, 21 Jan 2008 01:18:15 +0000 http://blog.markus-breitenbach.com/2007/07/01/safe-strings-in-php-2/#comment-6660 I was struck by the complexity of your solution to the safety ("injection") issue for strings in PHP that come from a user. I, too, have produced programmed solutions to other PHP problems. I now believe that the proper solution is to fix PHP and/or the other components of Web programming. Something that you always want done should be done in the language or computer system, not in explicit coding. Since the environment (the server programming tools) know which strings come from users and which do not, they can implement safety automatically. If the maintainers of PHP are reluctant to improve it in areas such as string safety, that is a political or psychological problem only, and could be solved by proper justification. After all, PHP has had some large changes in its history already, and people accepted them. A great example of this is the unsafe automatic importation of all GET and POST data into global variables, which is no longer done. As a former professional compiler writer and language designer, I am well aware of the tradeoff between keeping a language fixed (standard) and improving it. But there are well-known ways to manage this process, such as the standards development policies of Ada and Fortran. In PHP, a simple directive could enable or disable a new feature like automatic safe strings. To gain the advantages, webmasters or programmers would only have to add one line to each PHP page or to the site's .htaccess file or the equivalent to enable the feature, and remove any existing safety code. I can't see why the maintainers of PHP should object. David Spector Springtime Software I was struck by the complexity of your solution to the safety (”injection”) issue for strings in PHP that come from a user.

I, too, have produced programmed solutions to other PHP problems.

I now believe that the proper solution is to fix PHP and/or the other components of Web programming. Something that you always want done should be done in the language or computer system, not in explicit coding.

Since the environment (the server programming tools) know which strings come from users and which do not, they can implement safety automatically.

If the maintainers of PHP are reluctant to improve it in areas such as string safety, that is a political or psychological problem only, and could be solved by proper justification.

After all, PHP has had some large changes in its history already, and people accepted them. A great example of this is the unsafe automatic importation of all GET and POST data into global variables, which is no longer done.

As a former professional compiler writer and language designer, I am well aware of the tradeoff between keeping a language fixed (standard) and improving it. But there are well-known ways to manage this process, such as the standards development policies of Ada and Fortran. In PHP, a simple directive could enable or disable a new feature like automatic safe strings. To gain the advantages, webmasters or programmers would only have to add one line to each PHP page or to the site’s .htaccess file or the equivalent to enable the feature, and remove any existing safety code.

I can’t see why the maintainers of PHP should object.

David Spector
Springtime Software

]]>