Comments on: News Wire: PHP Group accused of security incompetence

By: cranial-bore

cranial-bore — Tue, 27 Feb 2007 23:56:20 +0000

The downside to me was that your site (files you manage) are split up, with some out of your direct control. If you wanted to regroup certain scripts into a single file (depending on your usage patterns) you wouldn’t be able to do it.

If you wanted to (for example) make some scripts .php files served as JS to compress you wouldn’t be able to do it.

You may want to make trivial changes (e.g setting up shortcuts to the long YUI names) to the library files.

You have another point of failure. Your site may be online, but the JS that powers it offline (unlikely though).

If your site hard-links to specific JS files (admittedly not a good idea) and you want to utilize new versions you’d have a lot of links to change.

These are not insurmountable issues. Mostly I like the psychology of having the site in one place. For concurrent connections you can always setup a subdomain on your own server and load the JS files via it. Still have to supply your own bandwidth though :)

By: Kevin Yank

Kevin Yank — Tue, 27 Feb 2007 23:34:37 +0000

What is the benefit to having your Javascript hosted remotely? I can only think of downsides.

The benefit is that your site uses less bandwidth on your server, and most browsers will be able to load your site more quickly (most browsers will only download 2-4 files from a particular server at once).

What downsides can you think of?

By: cranial-bore

cranial-bore — Tue, 27 Feb 2007 23:17:53 +0000

What is the benefit to having your Javascript hosted remotely? I can only think of downsides.

By: jamiemcd

jamiemcd — Sun, 25 Feb 2007 16:42:09 +0000

I use YUI. It’s a great javascript library. However I noticed an important comment on the Free Hosting of YUI Files from Yahoo! discussion. If your site is secure, such as https://www.example.com, you need to continue hosting your own YUI files, since Yahoo! does not offer secure hosting. I ran into this same problem with including the javascript files needed for Google Analtyics. I would get a security warning on any pages using SSL. Fortunately, Google did offer secure hosting of those javascript files, as described here.

By: Xenon_54

Xenon_54 — Sat, 24 Feb 2007 07:15:18 +0000

@Rick

Month of PHP bugs will be about bugs into PHP itself, not users’ applications.

By: Rick

Rick — Fri, 23 Feb 2007 20:17:52 +0000

The month of PHP bugs idea does sound alot like a publicity stunt.

PHP does make it easy to write insecure code, but then again I used to write web apps in ASP and VBScript, I think the amount of time I spent compensating for security is about equivalent.

All networked applications have the potential for massive security cockups (cough cough windows) especially if they are connected to the public internet, it just happens that PHP makes it very easy for developers who may never have heard of XSS and Code Injection develop applications.

Things like magic_quotes_gpc prove that attempts to nanny users by taking responsibiltiy for security away from them always turn sour - they reduce flexibility and more importantly can’t hope to gaurentee security in all situations.

I don’t think its fair to blame PHP for allowing developers to write insecure applications, just as I wouldn’t argue that you can blame C++ for allowing developers to write applications with memory leaks!

By: Ards

Ards — Fri, 23 Feb 2007 16:27:45 +0000

Just hope Stefan Esser will make the right choice to help the PHP community instead of going against it for the “Month of PHP bugs”. I also think that it’s a self propaganda…