Learning PHP?

[willy_ph]

Simple. Where's a good starting place to begin learning PHP? I code everything in notepad, so no need for any fancy programs that will do it for me.

I'm looking mainly for sites that I can pick info up.

[vass0922]

the links i usually point towards are www.devguru.com and www.programmersheaven.com ... I'm guessing they'd have something on PHP as well...

You could also check out the TechIMO links there maybe some sites there

[tobu]

i elarnt of php.net

[ctaylor]

here are some excerpts from e-mails I have received. I'm not saying "don't learn PHP. What I am saying is that some security professionals I am aquainted with seem to think there are innate problems with the design of the language.

<quote>
Call me "chicken little", but I am getting worried about the looming
Apache/PHP vulnerability out there:

http://news.com.com/2100-1001-850752.html?tag=cd_mh
http://security.e-matters.de/advisories/012002.html
http://www.cert.org/advisories/CA-2002-05.html

If you have a webserver on the internet with PHP I encourage you to
patch it NOW.

If the estimate of 1 million vulnerable php servers is correct, then
as soon as someone creates a worm program that can get a shell on a
vulnerable machine then all 1 million servers will be infected in
about 2 hours (assuming one machine can try to infect 10 random IP's/sec).

That would be worse than code red and a huge blow to Apache & OSS. :-(

I hope I turn out to be chicken little...

</quote>





which was followed by this

<quote>
>> I'll go one better than that. If you use PHP, STOP. They have
> > security bulletins released about once a week, it seems (o.k. I'm
> > exaggerating A LITTLE). About the only "vendor" with more frequent
> > releases is Microsoft...
>
> Eh, I don't buy that. Please back it up with some references.

Ok, I'll back down partially in that upon review, many of the
advisories I've seen I've mis-remembered; they were not actually PHP
advisories, but for software written in PHP. However, just this year:

http://online.securityfocus.com/archive/1/258995
http://online.securityfocus.com/archive/1/258662
http://online.securityfocus.com/archive/1/255037
http://online.securityfocus.com/archive/1/254846
http://online.securityfocus.com/archive/1/254005
http://online.securityfocus.com/archive/1/250196

Some of these are considered fairly minor, in that the vulnerability
is a possible exposure of what may be considered sensitive info. Some
of these are things that can be fixed by altering the configuration of
PHP. The problem is that it shows a pattern of failing to think
about programming security issues.

There are also some earlier advisories which complain about the design
of PHP encouraging the development of insecure code. It seems that
writing secure PHP scripts is also very difficult, and there are quite
number of advisories for software written in PHP, which are not
necessarily the fault of PHP, but perhaps encouraged by the design of
PHP.

I stand by what I said: if you're using PHP, it is my opinion that
you're better off from a security standpoint using something else.
You have to worry about security problems in the software written
using PHP, as well as those of PHP itself. For example, Perl has zero
reported vulnerabilities over the same period of time, and only one
report of a vulnerability in software written in it (a file disclosure
bug caused by bad input validation). I personally don't feel that PHP
has a track record that warrants confidence in the security of your
web server, and possibly your network depending on other trust
relationships with your web server. Better, mmore proven alternatives
exist.
</quote>

[ctaylor]

on the lighter side of things: here is a cute story

http://bbspot.com/News/2000/6/php_suspend.html

(it's satire, but does have a link to php.net and they have a new CHM version of their PHP tutorial available for download)

[ctaylor]

Now having posted the previous thread, I thought I should also post an excerpt from the most recent e-mail I have received on this topic. I have never played with PHP myself so I cannot make any rational judgment calls on the merit of learning PHP other than to say "the more you know, the more you know" if that has any correlation to actually DOING the things in life you want to do, go for it.


<quote>
OK, does anyone else see this? Paul and Ben are saying exactly the
same thing: It's a matter of bad programming, not a bad programming
language. Now, the truly amazing thing is that Paul and Ben
actually agree on something. The slightly less astounding fact
is that they are *STILL* arguing, despite the fact that they
agree...

Anywho.... PHP, like Perl, like C, like any other language will
have security holes as long as people write sloppy code. It is
a fact of nature. Yes, PHP has some problems. However, those
problems aren't an issue until someone goes and does something
stupid like write bad code that leaves the hole vulnerable. The
same is true for Perl (see http://www.coconut-palm-software.com...-security.html).
A great example is "Matt's Script Archive". Great programs. *BAAAAD*
programming. There are all sorts of holes in most of the Perl scripts
found there. This is why there are 200 Perl-related vulnerability
checks in Nessus.

There is no such thing as a "secure" language. The language of and
by itself does nothing. It is not secure or insecure. It is the
person writing the code. Thus buffer overflows, stack-smashing,
elevated rights, etc.
</quote>

[storm2k]

i don't think php should be knocked down because like ctaylor said, it will have it's security holes like any other language, or program. windows has em, linux has em (i find on the redhat network site that my system falls out of date rather quickly these days), everything has them. it's impossible to make a perfectly secure language or system, because there are always those out there looking to exploit any hole that might exist.

[willy_ph]

I have to agree with Voogru. I've only been at this a day and already I can see how much more useful this language is compared to straight HTMl with javascript.

So much easier too. No need for frames when you can just you the include() function.

thsoo thsexy!!!

[willy_ph]

I guess I have to learn how to implement MySQL database functions into my code now.

So much easier than straight HTML code once you're used to it. if there's anyone out there that is starting to get stressed with the limitations of HTML, PHP is the way to go!

[ctaylor]

Willy_PH - glad to hear of your success. Enjoy the learning journey every step of the way!

[MDdan]

The dark side of PHP use:

http://www.bbspot.com/News/2000/6/php_suspend.html

[Praetorian]

Include rocks! I've cut down on the sizes of my pages by just using that command instead of having a header or footer static on every page. I'm learnnin' more and more about PHP with some help from Voogru here and its rather fun.

MDdan: haha! I found that site a while ago and read that one. Poor kid.