Re: [tlug] Do you whitelist or blacklist utf-8?

[Darren Cook <darren@example.com>]

>  > What would make me sit up and pay attention is if you showed me that a
>  > php 5.2.x or 5.3.x release was released with serious security bugs in
>  > the core (as opposed to in some new specialist library that has just
>  > been added).
> 
> That's an unreasonable condition in a project whose popularity derives
> significantly from rapid assimilation of "new specialist libraries".

This side thread started because I thought the original comment ("And,
yeah, for better security, don't use PHP") sounded unreasonable. From
what I've learnt in this thread it seems the original comment should
have read: "And, yeah, for better security don't use a version of PHP
more than 5 years old, and don't use frameworks or other libraries (with
any language) unless you are sure the authors understand the various
security attacks."

Sorry for the pedanticism, I realize that version isn't so catchy :-)

Darren

P.S. I hate language wars, even when I'm joining in them. But it matters
out there in the Real World: for many web projects there will be a PHP
Quote, and a Java Quote, and typically the features and prices and
schedule will be comparable. In truth the security, reliability and
speed of the underlying languages are also comparable (meaning
equivalent enough that it won't matter for the success of the project),
and what the decision maker should be doing is comparing the likelihood
of each development team being able to do what they say they can.
It is just very annoying when the inferior team is chosen because of
something the decision maker heard in a bar from a language advocate. :-)




-- 
Darren Cook, Software Researcher/Developer

http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)