Hey, anyone saw the recent influx of security changes being proposed to PHP?
Are any of them any good?
http://news.php.net/php.internals/90274
http://news.php.net/php.internals/90249
http://news.php.net/php.internals/90350
http://news.php.net/php.internals/90445
Or will PHP always be an insecure heap of shit?
>le PHP is insecure may-may
>I'm too stupid to prevent XSS holes and SQL injections without the language making them basically impossible: the thread
>>52342339
I didn't say anything about XSS or SQL Injections m8
dem unserialize() RCEs tho
>>52342339
this
>>52342339
>>52342354
>>52342262
insecure by design
>>52342262
All of those suggestions are pretty good, though they're not going to do anything to stop inexperienced developers from making bad decisions (which will never stop happening regardless of what changes get made to PHP). I do like that the changes may break backwards compatibility with weak security, which would force project owners to update (inb4 "we're sticking with PHP 5.x!")
>>52342441
Those people deserve to sit on a rotting corpse of legacy software until someone finds a remotely exploitable 0day. Then they deserve to burn.
>>52342467
>Those people deserve to sit on a rotting corpse of legacy software until someone finds a remotely exploitable 0day.
>Until
Isn't it ridiculously easy to upload a shell to these meme websites? Seems like PHP is too shit to be used.
>>52342467
Agreed.
>>52342476
Upload? Maybe.
Execute? Idk
>>52342476
Is it? The fact that you haven't done it tells me it probably isn't that "ridiculously easy".
>>52342525
I don't really know I just watched some youtube videos and security researchers were saying skids use PHP for their c&c and a huge majority of them are exploitable. (and they showed how it's done)
>>52342262
Three out of those four are from the same nobody trying to make a name for himself with this: https://wiki.php.net/rfc/php71-crypto
I don't know what libsodium is but I'm sure it's an NSA ruse
>inb4 some securitard calls me a fag
>>52342476
Please elaborate on what these "meme websites" are, friend
>>52342543
> doesn't know who Daniel J. Bernstein is
> doesn't know who Frank Denis is
> thinks libsodium is NSA
GTFO
>>52342546
I second this query.
>>52342543
You're right. I didn't even notice the names were the same!
So it's just some unimportant aspie then?
>>52342546
>>52342579
You can literally google dork for them
>>52342955
>>52342339
This
>>52342339
A language should at least not encourage them.
But if you don't use PHP without a templating language nowadays, you're doing it wrong anyway.