Recki-CT – A compiler for PHP, written in PHP(github.com) |
Recki-CT – A compiler for PHP, written in PHP(github.com) |
Would be really nice to see security augmentations to the language. The vast majority (maybe 9/10) sites I look at where no framework was used, the site is missing have no CSRF tokens, very poor XSS protections, and RCEs are pretty common too. I think this would really improve the language.
The argument that 'PHP is a framework' may be valid, but as a framework, raw PHP kind of sucks.
An example would be built in CSRF protections through something like a form builder
http://blog.ircmaxell.com/2014/08/introducing-recki-ct.html
(it's vaguely redundant with the readme, but there is some additional stuff)
Globals, sure, bad practice. Ideally we wouldn't have any. Dynamic variables make sense to exclude, it turns static analysis into the halting problem. Luckily they're a bad practice too since 5.3 introduced closures.
But references?
EDIT: It's by Anthony Ferrara! and some other pretty big names in the PHP community
This is debatable. It's not if you know to avoid many awful components of the language that are pushed in tutorials (like extract, or mysql_query, or register_globals, or loose comparisons).
mysql_* functions all have a big red warning at the top of the docs pages warning users not to use it;
extract has a big red warning about using it on untrusted data.
PHP shouldn't hold developer's hands, but it does enough to warn them away from the Here There Be Dragons.
However, the others require users to actually read the documentation, which unfortunately many do not. A new user of PHP reading a tutorial does not necessarily know these functions are unsafe. They type the functions into their program and they still work, even on the latest versions of PHP. They don't see a visible deprecation warning on the page.