It's not so much the language itself the issue, as both C and PHP weren't made with safety in mind, it's the kind of programmers that the language encourage.
IMHO, C cell defined semantics makes it simpler to master. PHP is an easy language to get stuff done, but a pretty hard one to master, I would say possibly harder than C. E.g. very few people actually make no mistakes about the behavior of the == operator... (http://habnab.it/php-table.html)
C is safer in the sense that it filters out the incompetent better than most languages, people which don't have a decent understanding of it are unlikely to produce something that doesn't crash fast if it even compiles.
PHP permits anyone to be somewhat productive, that's good in some cases, but in most cases you want someone who understand what he's doing...
C certainly doesn't filter out incompetent developers at all. The fact that it is less popular means it is naturally filtered out these days with most people who work with it being older but there are plenty of incompetent C developers building internal software all over the world even today. I mean if you checked any internal codebase written in C today you're likely to still find multiple places where the developer has shot themselves in the foot over memory management. It wasn't that long ago that people were speaking the same way about C programmers because of all the exploits/simple bugs years after STSFFAP was released.
>PHP permits anyone to be somewhat productive, that's good in some cases, but in most cases you want someone who understand what he's doing...
In most cases you don't have a choice so it doesn't matter which language you give them.
> I mean if you checked any internal codebase written in C today you're likely to still find multiple places where the developer has shot themselves in the foot over memory management.
This is absolutely nothing compared to the incredible stuff you can see auditing the average PHP code base... Most PHP programmers don't understand all the implicit conversions taking place, and that's a source of many bugs. I can't really blame them as many of them make no sense whatsoever. PHP is a really hard language to master, and most people that put the effort actually start to see PHP for what it is and go to a less insane language...
I've seen it. I use to develop php full time between 6-9 or 10 years ago. I developed C full time 12-14 years ago. I'm not trying to say php is a great language here and I avoid it completely these days. I'm saying php the language has nothing to do with this type of security issue and the language itself isn't going to be more insecure than any alternative. The same developer building wordpress in C is still going to allow for uploading any file in an executable way since they want to enable people to upload plugins from the interface.
There are no systems to my knowledge where the server will compile and execute a .c file from a directory when accessed.
Yet that seems to be the default configuration for many PHP installations unless you specifically guard against it it. A common PHP vulnerability is just the user uploading a php file and then accessing it.
So you're saying the issue isn't with the php it is with all interpreted languages? Then compile your php before upload.
>A common PHP vulnerability is just the user uploading a php file and then accessing it.
A common PHP vulnerability is allowing uploads to a folder where code is allowed to be executed. That isn't a fault with the language but with lazy developers and admins.
