We’re currently renovating our house (like so many other SLUG members) and buying lots of materials from auctions to save money. In Sydney there are a number of companies like Grays and Auction World that run multiple auctions each week. Sadly we often miss the inspection days because we notice the auction too late. It would be really good if these companies could provide RSS feeds for:

1. Auctions Notices - covering inspections days, auctions starting and closing
2. Items – listing all of the items as they become available
3. Biding for each item – so we can monitor bidding for specific items

A couple of days ago there were a few emails on the SLUG mailing list started by someone experiencing problems with a PHP script. Towards the end of the discussion I suggested:

While you’re redeveloping you should also read about Cross-site Scripting and why you should escape user input before sending it back to the browser.

Which received the response:

Isn’t PHP fun?

Once again we have seem to have someone pushing the misconception that PHP is unsafe compared to other languages. The problem isn’t PHP. Like most programming languages it does exactly what you tell it to. The problem is that most PHP programmers are self taught hobbyists who have never heard of:

• Cross Site Scripting
• Cross Site Request Forgeries
• SQL Injection
• Session fixation
• etc…

I know I can write Java, Perl and Python code that is just as unsafe by following the practices that these amatures follow. While I haven’t done much .NET or Ruby I suspect I the same applies to them too.

My point here is pretty simple. Imagine if you hired a handyman to hang a picture. If he turned up, pulled out his electric drill and a screw then proceeded to hammer the screw into the wall with the back of the drill you would blame the handyman, not the drill manufacturer. It’s the same with PHP. If you want to hire inexperienced programmers to develop your website then expect stuff to go wrong.