On 03-Mar-07, at 4:20 PM, quasi wrote:
People come here expecting some "learned" advice, not empty rhetoric. So in case you do have a point/opinion putting some explanation around such statements to clarify the context might just help.
ok - here we go, learned advice: the vast majority of php users are non-programmers who come to the language from the direction of html. Since they are non-programmers, they have never formally learnt to program. They treat php as glorified html. Questions of good practices, security etc are not entered into. Result is crappy code. If you can call it code. The good thing about php, and what it is intended to do, is to encourage non-programmers to get things done. To this end, in so far as it brings people into the foss world and gives them a taste of doing things themselves, php is an excellent tool. But not for learning a language or learning programming or learning best practices.
I have been taught, in programming web applications: 1. separate code from data 2. separate code from presentation in short: three layers: 1. database 2. business logic 3. presentation
the database must distrust the business logic and the presentation layer. The business logic layer must distrust the presentation layer. Or to put it crudely, dont put html in your code, dont put code in your html, dont put sql in your html etc etc etc. If you use python or perl with a proper templating language, you cant do these things. So 90% of your security problems are solved. In php you can do this. You can embed sql queries in your html pages and do all sorts of things - so how can you learn good practices? I try to train the programmers i get - and the ones who come from php background drive me crazy.
And i am no great hacker, just a part time enduser.