PHP is so insecure and vulnerable that it makes me feel unsafe. It has so many features and settings that can lead to security risks, such as register_globals, magic_quotes, and allow_url_fopen. It also has so many functions that can execute arbitrary code or commands, such as eval, exec, and system.

It is like PHP was designed by a bunch of hackers who wanted to exploit every possible loophole.

And people wonder why programmers are accused of being fragile...

Last time I used PHP I caught COVID. No way am I risking it now.

@AlmondSauce lol

@Demolishun I disagree but I love this meme! 🤣

@Lensflare

There is just something awesome about this format (not really an f u for you, but I think this might see more general use):

Welll.. who told you to use all those? The first meme reply explains it. Those commands are available to people who wants to use them. Those who don't need, can simply skip them and live by.

By the way, PHP allow_url_fopen is off by default, in all PHP installation. But some dumb hosting providers do let them turned on. It shouldn't happen though when you install apache and php by yourself.

Firstly, I am know around here as being the sort of masochist that *loves* PHP. I am shitting you not, I have greatly enjoyed the language and the simple way in which I can go ahead and blaze out apps. But I will recognize that it has some issues that could make most PHP apps a den of pentesting.

The reason being: the idea of the web, for backend and dynamic websites, is in itself a port of entry for dangerous practices. Most bug bounties I see around are web based, or web environment based (top dollar comes from actual devices, but cloud brings in a pretty penny as well) and I can tell you one thing about php in relation to our hacker friends: hackers love php, both ethical and blackhat.

It is very easy to include a vulnerability with plain php, even though some items are disabled by default (magic quotes, url fopens etc) but even when you gain access to a wordpress site, injecting a reverse shell vuln is a cake walk, only one line of code really.

All things considered, php is awesome because it feeds/pays both developers, and hackers.

I am here for it, and real php devs know how to provide secure and correct code, bit harder to do really over something like Rails that provides tons of safe defaults, but doable.

I also like my {}s and ;s

register_globals was removed in PHP 5.4

Stop running PHP 5.3 and older.

PHP 8.2 is current version if I remember correctly... that's day and night.

Plus a lot of the features mentioned are present in other languages.

It's easy to blame the language, but most of the time it's not the language, it's the ecosystem around it.

E.g. security wise using outdated versions, not isolating the app / backend, etc.

It's a great language and you know it! :)

Just switch stuff you don't need off in the ini.

...Typo3 CMS, however, can kiss my arse!! 6 hours trying to figure out why some xml parsing wasn't working and it turns out Typo3 doesn't use strict naming convensions for controllers, so my (similar to...) "SoapController-OLD-dont-use-this.php" was overriding my actual controller.

motherf*cker