Napping.Synth.Download
 138 comments
HOLY POOPTARTS this is blowing up,,, 60 boosts and 90 stars??? uhhh if you're looking for a software dev, we're looking for work! We know PHP (as evidenced by me running into this) but also lots of other stuff too. This, um, isn't my even /slightly/ worksafe account though, I was not expecting to go big here. okay I'm sorry I gotta mute the thread, I wish I could mute only the stars and boosts, because I wanna see your replies! but it's all *bloop*bloop*bloop* :3 but do feel free to reply still, I might scour the thread looking for new comments! @IceWolf Okay, that is messed up. They're both evaluating as strings, but then the strings are being evaluated as numbers?? What's marked as a string should be considered a string until typecast to something else. Putting a number in a string should not cause it to be interpreted as a number. Are the #PHP devs aware of this? This has been part of the language since forever. I have a draft somewhere about what I want to change about comparison but working on other stuff rn. @IceWolf @woozle some of us are pushing PHP to be better. But improving comparisons is something I want to work sooner than later, but it requires some rework at the engine level. Incredibly early draft is here https://github.com/Girgias/php-rfcs/blob/master/comparison-equality-semantics.md This seems like good practice, which I will be adopting -- but also it kind of reinforces my point that the That one always made at least some sense to me -- you're comparing with a number, so of course the string needs to be cast to a number. But comparing two strings makes them into numbers?? Something rotten in the state of Denmark. What happens if you're comparing, say, two password hashes, and they both happen to begin with @woozle PHP devs aren't (merely) incompetent people who are unaware of certain things. Rather, they deliberately insist on not even trying to get anything right. This attitude is a precondition for working on PHP at all. > But comparing two strings makes them into numbers? [Edited to remove a part I'd gotten plain wrong; PHP isn't ‘stringly typed’.] Lots of languages are like this; it's a valid design decision. Though it's certainly possible to implement that better than PHP does. @Crell Personally I don't mind dynamic languages, if that's what you're getting at. You can be dynamic without being boneheaded like this. (I think Perl does it a bit better, IIRC.) @IceWolf You haven't seen anything until you've seen Javascript... :-) Type juggling outside of a few very narrow conditions is just inherently dangerous. @Crell Oh we use Javascript all the time and I personally love it! Not so much for its type handling, it can be a bit wonky (insert holy trinity meme), but y'know. I'll take some type wonkiness in return for JS's immense flexibility and unopinionatedness. It doesn't try to force you into any one specific pattern or coding style (*cough*Rust). @IceWolf + means both addition and concatenate, in a language with no explicit types. Nothing in PHP comes close to that level of dumb. (And PHP has plenty of dumb.) @Crell really? *waves paw at the OP* :3 but personally I don't mind the + thing at all, since /usually/ it's clear from context. There are worse things! @evert @IceWolf Because in practice it bites you about 10000x as often as "a string that happens to start with 0e will get coerced to 0 if you try to use it as a number." Addition and concat are two of the most common operations. Using the same symbol for them when the types are inherently unknown is begging for trouble. @IceWolf @jalefkowit I earnestly don’t want to be a sneering elitist but I cannot help but see a *little* bit of a silver lining in a certain photography enthusiast’s public crash-out, in that it may damage the popularity of this language. If you squint, it’s really harm reduction (via doing lots and lots of harm) @glyph @jalefkowit Um, no PHP is GREAT, actually. Why do you think I'm on its docs site! Sure, it's got some wonkiness. Every language does. But PHP makes webdev and programming in general incredibly accessible. And since it's server-side, it makes lightweight, usable pages by default, unlike every """modern""" Javascript stack. @IceWolf @jalefkowit because of the profusion of design errors like this, php is quantitatively the most insecure high-level language still in use. I acknowledge that its accessibility is something other languages and hosting environments need to aspire to, and that many people have found that accessibility empowering. but its prevalence is a real problem, complicit in some of the biggest breaches. “Wordpress sharing critical infra” is a cliché at this point @IceWolf @jalefkowit This is just one study but it’s an illuminating data point: https://www.mend.io/most-secure-programming-languages/ @IceWolf @jalefkowit As far as “SSR is good”, I am a python guy who has been doing web dev in various capacities since 2001, no need for argument there :) @glyph @jalefkowit Wordpress is also Wordpress. When you run 40% of the internet, of course you're gonna get whacked with a crapton of hacking effort. (See also Windows.) @IceWolf @jalefkowit I acknowledge that that's a factor, but it's definitely not the only factor. Anyway I don't need to yuck your yum; if you like it, and you don't agree with my take, that is your option. And while I don't mind putting that idea out there, I am not going to yell at you about it, if I am going to put effort into something, I will go make my own rickety pile of infrastructure more appealing and accessible, not just put down PHP 🙂 @tursiae Nahhh, it's the opposite, because it doesn't try to force one specific style on you! Everyone else hates YAML because of its weird "do what you might possibly be guessed to potentially mean" semantics. I hate YAML because it straight-up bans us from using tabs in our /own config files/. We are not the same. :3 @tursiae It's even worse than Rust's fucking "style warnings", and that's saying something! @tursiae Seriously, Go? Sheesh. We read an article once shitting on it for other things but it didn't talk at all about that, and now I'm /really/ glad we never tried it out. @tursiae Oh! Sheesh. Yeah, that falls firmly in the "should be a warning, not an error" department IMO. @IceWolf true statements, but I'm more of an actual static or cgi guy. On the rare occasion I need something more complex I write the javascript (don't do this of you need help, most professionals only know some frameworks). Php is just fun to rag on because so many weird things and bad decisions from the early days. @Netux Haha, PHP is also CGI so! :3 Yeah we skipped all the early stuff, only picked up PHP fairly recently. Apparently it's massively improved with 7/8. @IceWolf@masto.brightfur.net yup, PHP type juggling attacks are an entire rabbit hole... another fun one: your password comparison mechanism very likely has a timing attack embedded somewhere, unless you use a framework or special newer PHP functions built for security @IceWolf HUH??? oh god does php seriously juggle strings BACK into integers even if both operands are strings Have you read https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ ? Also: bad language != (bad design || bad programmer). @suetanvil PHP isn't an inherently bad language, though. Sure, it's got some wonkiness, every language does. But its good things more than make up for it IMO. I will not stand for PHP hate over here! I don't know PHP and so can't really critique it but nothing that I've heard about it makes me want to learn it either. There are certainly good reasons to use it but I have none of them. I don’t know anything about PHP’s ‘type juggling’, but is this something where the md5 function should help by outputting a text/string type that wouldn’t require juggling? @IceWolf Hi, I have generated those two strings and that exact comparison more than 10 years ago now, and since then I and many other people have generated some more for other algorithms as well, from CRC32 to SHA-256. I keep all of them here https://github.com/spaze/hashes Used the so called magic hashes to discover MD5 (or even plaintext) in sites and places where it shouldn't really be used, like password storage :-) @IceWolf PHP has always struck me as one of the worst things ever. Not just the worst programming language mind you, but in fact one of the worst things of any kind, ever. @IceWolf hah yeah. Professionally, this is why we === all the things and have safety rules to find stuff like this. Thankfully, I didn't see too many of these when php'd for a living. Madness! @IceWolf I first needed to learn/use PHP in 2010 at a small startup. The more experienced dev mentoring me continually referred to it as a Clown Car language. @IceWolf That's why you don't compare without type safety. If you don't know PHP, you do this with === instead of ==   @IceWolf@masto.brightfur.net this is the kind of bug that should only arise in a toy language written by a twelve year old with no types other than a string @IceWolf ... am I the only one that looked at that quote text in the image and thought that was a ChatGPT grab just on the face of it? I mean, now that I know it's PHP it still has a kind of horrible fascination, but at least that's of human generation ... :eyeroll: |
whoops, have the link: https://www.php.net/manual/en/language.types.string.php#123393