Coffeehouse Thread

24 posts

JavaScript antiFUD, take it from someone who transitioned from C# to JS

Back to Forum: Coffeehouse
  • User profile image
    Bass

    I don't think PHP is well designed. But people make great stuff in it. Any time someone brings up .NET vs PHP, it reminds me of MySpace vs Facebook. It proves that languages are ultimately kind of unimportant compared to having talented people and sane design.

  • User profile image
    magicalclick

    JS indeed has a lot of improvement over the years and it runs on all major browsers, and even on Metro apps. But, just like how a certain tech magazine claims "Web is Dead" on its front cover, and just like a lot of companies moved back to native apps instead of web apps, there is always two sides to the story.

    Quality is such a difficult term. Most of us will proclaim we are disciplined programmer and produce high quality code. And oohhhhh.... it passed all the unit tests for 1000 times. But, we are all human. Human write code and human write unit tests and human makes mistakes. So, IMO, the more hand holding from IDE and Compiler, the better, as long as it doesn't cost too much expressiveness to the language.

    IMO, ASP .NET scared a lot of new comers because WebForm and MVC have high learning curve. But, have you guys tried Razor or free WebMatrix yet? Personally I think it is very good web platform mixing C#. Sure you still need JS on client, but, that's only because there is no other alternatives. The only downside is, you need to pay for web hosting 5 bucks a month instead of completely free. And usually school would teach class using free web hosting because 5 bucks per month is infinitely more expensive.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    evildictait​or

    , Bass wrote

    I don't think PHP is well designed. But people make great stuff in it. Any time someone brings up .NET vs PHP, it reminds me of MySpace vs Facebook. It proves that languages are ultimately kind of unimportant compared to having talented people and sane design.

    The problem is that people often bring up that you can write insecure and secure code in both X and Y for all turing complete languages X and Y, which ultimately misses the point that X and Y are not then equally good languages.

    For example, it's possible for an experts to write a lovely swisshy app entirely out of x86 assembly compiled with NASM. But it's a whole ton easier to just use WPF.

    And shouting "yeah, but you can do a buffer overflow in C# too if you're really dumb, and you can write code with no buffer overflows or memory leaks in C as well" kind of misses the point. It's waay harder to write good C code with no buffer overflows or memory leaks than it is to write good C# code with no buffer overflows or memory leaks.

    Just because it's possible to write crappy code in .NET and crappy code in PHP doesn't make them equal. Case in point:

    <? include($_POST['folder'] . "/include.php") ?> 

    <% Server.Execute(Request.Form["folder"] + "/include.aspx") %>

    One of those is a root shell on your server. The other (probably) isn't.

    <? 

    $hash = $_POST["hashalg"];

    $hash($_POST["password"]);

    ?>

    <%

    string hash = Request.Forms["hashalg"];

    System.Security.Cryptography.HashAlgorithm.Create(hash).ComputeHash(hash);

    %>

    One of those is a root shell on your server. The other isn't.

    <?

    $sql = "SELECT * from foo WHERE name = " . str_replace("'", "''", $_GET["foo"]) . "'";

    mysql_query($sql); // MySql

    ?>

    <%

    string sql = "SELECT * from foo WHERE name = '" + Request.Forms["foo"].Replace("'", "''") + "'";

    MsSqlQuery(sql); // MS SQL

    %>

    One of those is a root shell on your server. The other isn't.

    <? if($_POST["secret-password"] = "Aw3s0mE") { logged_in = true; } ?>

    <% if(Request.Forms["secret-password"] = "Aw3s0mE") { logged_in = true; } %>

    One of those is a authentication bypass. The other is a compile-time error.

    The list goes on, but the point is that crappy code in PHP/MySql/Python/RoR is vastly more likely to turn critical than like-for-like stupid code in .NET/C#.

     

    The point is that in a random sample of the thousands of companies that I've visited to audit their code everyone writes crappy code. Some experts write crappy code once a month. Some junior coders write crappy code every day of the week. But the point is that having a language that is there to encourage you to do it right and make it hard for you to do it wrong (without making it impossible to do it at all) means that people gravitate to doing it right when the deadlines are near, instead of writing shoddy code to get the product (and all too often, their user's credit card details) out of the door and onto the Internet.

    I write bugs all of the time. But I kind of like the fact that 95% of them are caught by my compiler, 4.99% of them are found my unit tests, and of the 0.01% that are left to run on customer machines, Microsoft makes sure that only 0.000001% of those are actually exploitable.

    That's better for my customers than finding 99% of the bugs with unit testing, and half of that 1% of bugs that get through being trivially exploitable by a hacker determined to get root on my server.

  • User profile image
    magicalclick

    Reminds me of a hacker trying to hack my website accessing a PHP admin page. But, I am not using PHP anyway LOL. I use parameterized SQL instead though, it is even better that way since it is even more hand holding.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    exoteric

    @evildictaitor: Scary video about SQLi

    Sorry for the off-topic.

  • User profile image
    Bass

    , evildictait​or wrote

    One of those is a root shell on your server.

    trivially exploitable by a hacker determined to get root on my server.

    I don't think so. Even if you have the ability to execute arbitrary PHP on a server, your scripts can only execute with the rights of PHP interpreter. And depending on the server PHP is running on (eg: RHEL), that might not be many rights at all.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.