Trying to fix PHP
-
I'll just leave this here.
-
The end is nigh!
user_real_repent();
now!
-
No, because they're not looking to fix even the low hanging fruit of fail in the language.
Not even the inconsistencies in function names like str_replace vs strpad which can be fixed without even touching the Zend Engine itself AIUI (there's already internal aliases, e.g. die vs exit)
-
Note that this specification doesn't aim to fix any of PHP's quirks and problems.
Most critically, the spec only covers the PHP language itself. It doesn't cover the runtime library at all
"Fix" is too much of a strong word. They are trying to document it.
-
Yes, but the idea is that by documenting it, they can make a start on fixing it.
Now they have two problems.
-
That's gonna be fun. I wonder how they'll handle all the obsolete deprecated functions you're not supposed to use anymore.
-
Most of them are actually extensions to the language per-se.
Our good friends
mysql_escape_string
andmysql_real_escape_string
are not core functions but part of ext/mysql which is typically linked at compile time and can be disabled.As of PHP 5.5 that particular wart was officially supposedly going to be debundled.
-
As of PHP 5.5 that particular wart was officially supposedly going to be debundled.
It didn't, at least not in the Debian package, but using it does appear to cause PHP screaming bloody murder. Which made me happy .
-
Well, it was supposedly unbundled from PHP's end - whether distros unbundle it themselves is another matter.
Unfortunately I'm still stuck supporting it for now since moving certain people onto MySQLi is... interesting.
-
Unfortunately I'm still stuck supporting it for now since moving certain people onto MySQLi is... interesting.
I know it's probably less work since the syntax is mostly the same, at least in the procedural model but... Do you even want to stick with MySQLi?
Yes, I became a PDO zealot ever since I discovered most (all?) of the articles on the 'net that said "but PDO is not supported everywhere so you can't rely on it! waaah!" are either old, or lying through their teeth.
-
The syntax is almost but not quite the same between ext/mysql and ext/mysqli. There are some functions that juggle the order of parameters around just to be helpful.
My actual experience is closer to being in line with those articles than I would like. Were it actually entirely up to me, I'd be abandoning MySQLi for PDO like a rocket, but one of the worst things about being part of the SMF ecosystem is the amount of truly shitty hosts people are using to save a buck.
I regularly encounter people still on PHP 5.2.x despite even PHP 5.3 being on life support.
At least I finally convinced SMF to drop the 5.1 minimum for the next version, now it's 5.3.8 because I also convinced them to drop
sha1(strtolower($username) . $password)
as primary password storage and go bcrypt.Some days I swear it's a losing battle but every now and again they surprise me with rare flashes of accepting reality.
-
sha1(strtolower($username) . 'Imm4g0nna.SALT.dat.4.u' . $password);
FTFY
-
sha1(strtolower($username) . 'Imm4g0nna.SALT.dat.4.u' . $password);
FTFY
Two salts, mkay.
-
Sorry if I find
strtolower($username)
not to be a salt…
-
I know it's probably less work since the syntax is mostly the same, at least in the procedural model but... Do you even want to stick with MySQLi?
Yes, I became a PDO zealot ever since I discovered most (all?) of the articles on the 'net that said "but PDO is not supported everywhere so you can't rely on it! waaah!" are either old, or lying through their teeth.
To be fair, it wasn't usable on PHP 4.x at all and wasn't bundled with PHP 5 until 5.1.0. Granted, you could grab it from PECL for 5.0.x...
-
Sorry if I find
strtolower($username)
not to be a salt…strtoupper would be a lot better, since most people use lower case usernames.
-
Sorry if I find
strtolower($username)
not to be a salt…Sure it is. The entire point of a salt is to give you something that is unique to each row, meaning that you have to potentially build a rainbow table for each hash. If doing that with the username isn't that, what the hell is?
Yes, in reality, having an additional per-site salt would be wonderful, but given how inept a number of the users seem to be, there appears to be no safe way to handle this unless it can be hidden somewhere without being able to be tampered with. Using site URL is a no-go since people do move their forums around and shit.
-
strtoupper would be a lot better, since most people use lower case usernames.
Given that the entire point is to be case agnostic, I'm honestly not sure how this makes a difference but I'm willing to be enlightened.
-
WTF is WTF-y?
I don't have a problem with your salt. I was just giving a WTF modification + justification for @agbeladem.
Filed Under: Explaining the joke
-
Did I just give myself a whoosh moment? Shit.
-
Alright now I feel like I'm trolling without intending to.
-
Alright now I feel like I'm trolling without intending to.
It's a valid point, but it does perform the fundamental job of salting, even if it's not the situation I'd like it to be.
Though going forward they're on bcrypt so that takes care of that too.
-
Obviously it's better to strtolower username and strtoupper password. Sheesh arantor.
-
Obviously it's better to strtolower username and strtoupper password. Sheesh arantor.
lolwut
-
<sarcasm></sarcasm>
-
<sarcasm></sarcasm>
Yes, yes, I know. I just didn't have a good pithy comeback.
Also, self-escaping tags required.
-
After actually reading the article, the tldr is Facebook implemented their own php engine (or two) and wants to ensure compatability with the main language.
My Supposition: so they can usurp Zend engine with their engine and push forward their occulus rift game using just php.
-
My Supposition: so they can usurp Zend engine with their engine and push forward their occulus rift game using just php.
Chuckled. Want to like. But dreading the real possibility. Don't want to like.
-
?
-
The funny thing is that I saw this on /. and immediately thought of you. No wait, that's not funny, that's creepy.
-
I won't be playing, so obviously, it will be a 999,999,999 person MMO.
-
There's like 7 billion people on earth, you're accounted for.