View Full Version : Things PHP is best for, and things it's not so good at

07-12-2007, 06:37 AM
Many users here wonder about PHP coding of things that they want to do with PHP, and sometimes PHP scripting is not a good way to go. Although as alternative to PHP or 'User side' of the code is Javascript, if you use J (J as Javascript) in your code weather to check for password or validation it can sometimes result as total mess if user disalowes J on your website (that can be done with any browser), worst thing that user can do is to even check for passwords with J, and if user turned it of they can access your website easily (OK, that's extreme, but can happen).

So, what things are best to do with PHP, like authorization, loading from database, checking for variables and stuff that can sometimes be disabled (like vbulletin smiley instertion) with J off.

How far can you go with server side coding, so that users that have J turned of can still browse your site with ease?!

PHP is for thinkers, maybe if you know everything before you make one step forward with PHP that can make your life much easier (like inserting smileys in forms), but J is there to make your life easier, and it's a real shame that it can be disabled. Of course that's couse it can be used maliciously, but why is J so dangerous?!

J is executed in users RAM, and therefore (even with limitations) can be used, and is used, for malicious attacks (cookie settings, password gathering, and stuffs like that)

Does that problem go so far, so that it means that todays browsers are just not secure enough for J, and SS coding like PHP is only secure way to go (if you code properly) or that users and even programers just ignore that mayor security hole that egzists between user side and server side communication.

Is there a way to stop that madness?! Where do we start from if that's possible, browsers, OS's or just plain and hardest thing to do, user education.

Thanks for any answer, if there will be any.
(If mods move this topic elsewhere or delete it :) )

07-12-2007, 01:22 PM
Ideally you do everything serverside and use Javascript to supplement the user experience where possible, I don't think you should ever use javascript for authentication.

So you either assume no javascript or enforce the use of javascript.