This board is begging for RO5.

I’d use JS over PHP e v e r y time.

Push the effort onto the user’s browser instead of doing it on the server? Well, there are some things that require server work. Take my blog as an example – default view is the last article. Custom calendar built on the fly with links to each day of entries. On the right (desktop view), the last five entries are listed. And some other stuff, blah blah.

Anyway, it’s fairly easy to do this with php. Could be possible with Javascript too if you’re the sort of nutjob web developer that would use JQuery and download megabytes of data in order for the browser to build the same page.

PHP is a terrible technology, great for having your site hacked.

Two observations:

1. PHP is not good or bad. It’s “another web language” with some good points and some bad points. However, the primary cause of hacks (asides from flaws in the implementation of the language that CAN affect any language) is due to people doing stupid things. Like a script that takes input and tosses commands to the command line without vetting them against a whitelist. Or badly configured PHP that spews loads of sensitive trace information if the script fails (yup – I’ve seen a failure report that was basically “failed to connect to back end with login xyzzy and password xyzzy, error code 1234”!).
If you don’t try to do smart-ass things with PHP, your server will be more secure. Though, in this day and age with zero days and state actors, I think there are more things to worry about than PHP – it’s hardly worth worrying about that if your kernel is two years out of date…

2. Your preference for using Javascript is not making your site safer, it’s simply shifting the security risk onto the users. Loads of sites these days use loads of scripts of unknown origin. I did a check a few years back – how many sites used JQuery. Well, loads of things use JQuery. And you know what? Most of them used their OWN JQuery, and many of them did not diff as equal.

As I mentioned above, my default policy for scripting is DENY. If a site doesn’t load for me, if I was to have gone to Clive’s site on my desktop machine without previously knowing who he is, I would not take the time to work out why the site isn’t working correctly, nor would I turn on scripting on an unknown site. I would simply shrug and close the tab.
However, as I know Clive, he’s now whitelisted. ;-)

That’s the thing though. One of the biggest ways of compromising a user’s machine is tainted scripting, tainted Flash, that sort of thing. I absolutely believe that a deny-by-default policy is the only way to go.

I learnt HTML last century…

Ditto. My first site design was tested on ArcWeb… [http://www.retro-kit.co.uk/page.cfm/content/Browsing-the-Web-with-ArcWeb/]

and still do it by hand in a text editor (mostly Atom on the Mac).

Notepad++ on Windows. I don’t use RISC OS for site design as I need WinSCP to get it onto the server. Otherwise I’d probably use Zap.

I have learnt a few bits more recently

I learned some basic PHP because I believe that what the user should receive is a nicely formatted compact page. Not a bloated pile of rubbish as seems to be the norm these days. :-(

though I don’t care much for that definition’s use of “widely spaced intervals”, which seems a bit limiting!

Indeed, I think Google’s definition of “thinly dispersed or scattered” is better.

Thing is, I’m not the OED but I feel that while both words can mean “there’s not much”, sparse implies “not much (and this is normal)” whereas scarce implies “not much (and this is abnormal/inadequate)”.
With this in mind, surely scarce is a better word than sparse when referring to the persistent lack of documentation for modern chips?

Otherwise I’d probably use Zap.

I loved Zap, but don’t currently have a working copy. Where can I get one for my Pi?

Sounds like I should learn PHP – at least enough to implement the stuff I currently do with Javascript. Assuming it wouldn’t involve to much rewriting of my whole site? (Which is why I still use frames – I don’t want to contemplate the effort involved in rewriting practically every page of my site…)

I am really happy to see the usefulness of JavaScript in the browser being still discussed in RISC OS circles. Takes you back right into the 90s.

Meanwhile, the rest of the world happily uses JavaScript-heavy sites to put the load where it can be easily handled (the powerful clients), and to provide a user experience that at least resembles desktop applications of the 90s instead of reminding the user of the terminal stuff of the 70s when “submit-response” was king.

Criticizing people who in their free time provide free content in ways like

OK – you can’t be ar*ed.

or

No, but given it is obviously intended to be viewed on RISC OS (given the links, and all the mentions of RISC OS), it actually working is your responsibility.

is really depressing.

I don’t mind Rick’s criticism, Steffen. He’s actually given a helpful suggestion how I can make my site more user-fiendly, which – in time – I will almost certainly implement, assuming I don’t find PHP too hard to get my head around. Servage, who host my site, support PHP, so it shouldn’t be too difficult. We’ll see. (I didn’t know about PHP until Rick told me.)

John – are you using an ancient version of NetSurf or something? It all works fine on my Pi…?

No, but, despite having an icon on my iconbar to toggle JS, I rarely bother to use it, as the JS is so rudimentary it doesn’t normally do anything useful.

When I get a fragmented page from a link, I normally give up and go elsewhere.

If there’s a polite noscript message telling me I need to use JS, and I am sufficiently motivated, I switch to Linux, as I have to do with Freegle and my various banks.

I expect anything to do with RISC OS should just work.

I am amazed that Clive was unaware of PHP despite being a very talented programmer, and couldn’t understand his protestations that he “didn’t know how” because even I, a bear of little brain, do know how.

It might also be useful to him to be aware of Vince’s WebChange
– a very useful utility for changing stuff on multiple web pages.

I was also surprised, like Rick, to learn that the site used frames, something I have always avoided like the plague.

So, a happy outcome from my intemperate use of asterisks!

PS – and, of course, WebJames for local testing of PHP!

a very talented programmer

I don’t know what gives you that impression. Well, twenty years ago it was probably a reasonably fair description, but up-to-date? No. I’ve added a few tricks as needs have arisen, that’s all.

I still don’t know how to achieve the effects I produce using frames without them. If it’s not too difficult, I’m perfectly willing to learn.

I don’t think I’m a bear of very little brain, but I am an elderly bear…

Anyway, it’s fairly easy to do this with php. Could be possible with Javascript too if you’re the sort of nutjob web developer that would use JQuery and download megabytes of data in order for the browser to build the same page.

For the record, I hate jQuery and implying I use it for developing is worse than calling me a hipster. xD
For JS options, you code just use nodejs for cgi/server side scripts. Personally I prefer offline engines. So I write a new blog post, my homegrown engine processing it and spits out a folder of statically generated web pages. Much harder to hack.

PHP is not good or bad.

I’m going to say it, you’re wrong. It is bad. Although it is possible to create secure PHP sites, and I agree some bad developers make silly mistakes, but PHP is bad because it is extremely difficult to script securely and because Zend seem to always have bugs in the interpreters forcing you to constantly update more than normal and keep breaking your site. This is what I call terrible.

Your preference for using Javascript is not making your site safer, it’s simply shifting the security risk onto the users. Loads of sites these days use loads of scripts of unknown origin.

It is actually and no I don’t use third-party scripts (although I’m not necessarily opposed), nor scripts hosting on other sites. I never use JS to be honest, but between PHP or JS on a live site, I would always use JS.

As I mentioned above, my default policy for scripting is DENY.

That is a good idea. Although JS on sites is secure for me (as a web dev), it isn’t for the clients if they JS enabled and they occasionally browse dodgy sites. I am an old school web developer, so the website is fully functioning without JS. If I add JS, it is just a layer on top of the markup, but I always make sure the site works with or without. (Obviously without would be missing some features, but still usable)

I believe that what the user should receive is a nicely formatted compact page. Not a bloated pile of rubbish as seems to be the norm these days

I so agree and that really bugs me about modern web developers. Some pages are 20Meg! That’s ridiculous!

[Clive] Sounds like I should learn PHP

Or you could use nodejs and build on your JS knowledge but still do things server-side.

calling me a hipster

I have had a severely limited knowledge of fashionable things for over 4 decades but when people say “hipster” I’m thinking some kind of denim jeans or a style of ladies underwear.

Size of sites? Oh, nice one I crashed on (multiple times) while trying to get safari on an iPhone 4 to render the page
Anyone that analyses the page will note that two of the different image files actually show the same scene. The largest image file (@ 889kb) is the picture of the salt & pepper pots but the largest file is the 777kb javascript file.

Now you’d think the type of place that you’d check while mobile would have a site that didn’t have silly render times.

It is nice, the views are great, the beer is decent and the food is decent too.
All I wanted was the chuffin’ telephone number but safari didn’t like parts of the page and it was start over repeatedly. Mind you safari is a big pile of crash prone smelly stuff anyway.

Oh, nice one I crashed on (multiple times) while trying to get safari on an iPhone 4 to render the page

That’s ridiculous. It takes the same time to load with images enabled or disabled.

I have had a severely limited knowledge of fashionable things

It’s more of a sub-culture than a fashion. Like punk, emo, grunger, goth etc… It’s more than fashion

So I write a new blog post, my homegrown engine processing it and spits out a folder of statically generated web pages. Much harder to hack.

Mine’s written as a static HTML page, which is assembled by the PHP scripting into what you see should you visit. There’s the preamble (the base structure and title, the content is inserted, and then the postamble (is that even a word) is pasted on to the end with some content generated dynamically. I don’t need to do anything when I add a new article other than place it on the server. There are other dynamic things, such as the bottom copyright year matching the year of the article being written.
There’s more. Images have a watermark added server-side (a response to the idea of legally ripping off “orphan images” using a definition wide enough to sail a cruise ship through sideways).
There’s more. If the script detects a mobile device, then it will output a mobile-friendly version instead, and unlike a clever bit of scripting, this actually sends reduced content and shrinks down the images to be smaller and at a lower quality level so you don’t spend an eternity fetching the page on reduced bandwidth networks. You can see this in action by suffixing &keitai=1 to the end of the URL.

And the best bit? No work whatsoever on the client side, other than just rendering the content received.

I’m going to say it, you’re wrong. […] seem to always have bugs in the interpreters forcing you to constantly update more than normal

I’m going to say it, you’re wrong. :-)

You need to understand that there is no such thing as absolute perfect security. Languages, runtimes, the operating system itself – they are now massive projects with insane amounts of source code. There WILL be bugs.
If I take your logic about bugs in interpreters and frequent update cycles as determining whether or not a language is good, then I’m afraid I would have to discount running my site on any Linux box whatsoever. Why? Because there were two kernel privilege escalation CVEs last year, and a bunch of HTTP/2 and SSL vulnerabilities. Some of these flaws even got cute names and logos! Oh, yes, and last year PHP suffered a horrible flaw that could cause system compromise. As did Ruby. And Python. And, well, anything else that used Glibc. But hey, that bug got found and quashed eight years after its introduction (meaning it is present in ridiculous numbers of embedded devices that will never ever see an update.

Face it – everything has bugs and flaws. The only sensible way is to run what you like using, and keep it updated.

and keep breaking your site.

Hmm… I started with PHP3 and I have only suffered three breakages. The first was around PHP3→4 or 4→5 when the behaviour of auto-creating variables from parameters passed in the URL was abandoned.
What I mean is if the URL ended with /myfile.php?one=1&two=2 then early PHP would create the variable “one” with the value 1, and “two” with the value 2.
I used this as it was a lot simpler than the proper method of reading from the _GET array. But, you know, careful analysis of the script in use could reveal flaws, like maybe “?authenticated=1” or the like to set the “is authenticated” flag? So when that broke, I just had to do it properly, like I should have done in the beginning.
The second breakage wasn’t PHPs fault. I moved to a different host and the method of fetching remote URLs was removed. Again, a potential security risk. I guess I could have used curl or something, but what I wanted was not worth the hassle of working that out, so I just removed the functionality.
The final breakage was tiny and transient. During a system upgrade, the person running the server forgot to build PHP with the image library support, so all my images broke. I tracked down the cause by looking at the error messages given back in place of the images, and reported it. An oops later and it was all working. Not the fault of PHP, just a hiccup in installing. I think I’m on PHP 7-something now…

Although JS on sites is secure for me (as a web dev), it isn’t for the clients if they JS enabled and they occasionally browse dodgy sites.

There is quite the history of legitimate advertisers serving up malware, and legitimate sites being compromised. It is actually quite bogus to make assumptions regarding “dodgy sites”. You are almost certainly going to exercise the antivirus if you go to dodgy sites, but sticking to clean sites is not a guarantee of health.
Thankfully, the main vectors are scripts held on third-party sites and Flash. I simply don’t permit Flash and while I whitelist sites I have some measure of trust in, no third party site is whitelisted unless it is absolutely necessary for functioning (such as the CDN sites that big services rely on more and more these days). Anything else, not permitted. At all.

I have had a severely limited knowledge of fashionable things for over 4 decades but when people say “hipster” I’m thinking some kind of denim jeans or a style of ladies underwear.

It’s often taken as a derogatory slang for people that buy into the Apple ethos to the degree of wanting to wear turtleneck jumpers, have their coffee served by a barista and of course it carries a ridiculous name like mocha-lattè-double-shot-frappucino in a grandissimaximo cup.
In other words, bloody pretentious people that follow whatever a bunch of bloody pretentious people think is “trendy”.

Now you’d think the type of place that you’d check while mobile would have a site that didn’t have silly render times.

No. Far too many sites don’t even attempt to deal with mobile devices. Maybe their webdevs think it is still WAP or something? ;-)
Truth is, mobile devices are doing what the desktop machines do, as that’s the only way it sensibly works.

Actually, it’s really easy to crash Safari. Just go to the Daily Mail after any act of terrorism or other disaster. Instead of using words to describe what happened, there will be an endless stream of images, most of them alike. Doesn’t take long for Safari to wet itself trying to render that. Their web design is clearly as competent as their journalism…

I think you’re misunderstanding me Rick

Doesn’t take long for Safari to wet itself trying to render that.

That sentence is too long, but I can help…

Likewise. Pick a language, any language. There will be security vulnerabilities.

https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/

And, of course, there’s stuff like this https://geekflare.com/nodejs-security-scanner/ because it is possible to write crap buggy code with flaws, in any language. :-)
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

Or course, if you’re looking for lightweight and responsive, you’ll be wanting Go, right? ;-)

Long story short, we have our preferences, use ’em.

Now, of course, we probably ought to be arguing Zap or StrongEd. PMT or CMT. And, uh…. SD or USB?

Likewise. Pick a language, any language. There will be security vulnerabilities.

Of course I know this. PHP’s risks are unreasonably high. I don’t recall saying there is a perfect language, so I don’t get your point. In fact I did touch on why PHP is an unacceptable risk imo.

And, of course, there’s stuff like this https://geekflare.com/nodejs-security-scanner/ because it is possible to write crap buggy code with flaws, in any language. :-)

Never said nodejs is secure either. I do think it’s a better option to PHP, though. I also prefer to not use dynamically generated pages. Cuts down on overhead and is more secure. Why would I do that if I thought a perfect language exists?

Or course, if you’re looking for lightweight and responsive, you’ll be wanting Go, right? ;-)

Personally I find C faster.

Long story short, we have our preferences, use ’em.

It’s not the same thing. PHP is like a 1 lever deadlock, when any sensible person should be using at least a 5 lever. You can secure PHP, but I’d have to write an entire technical paper to explain how. It’s a real nuisance and I’m not surprised RO sites drop left, right and centre from trying to avoid malware and defacing script kiddies if PHP is your “preference.”

Now, of course, we probably ought to be arguing Zap or StrongEd. PMT or CMT. And, uh…. SD or USB?

Vi, Zulu and SAS. xD

It’s a real nuisance and I’m not surprised RO sites drop left, right and centre from trying to avoid malware and defacing script kiddies if PHP is your “preference."

Which sites are these of which you speak?

This and piccolo immediately come to mind. I don’t know if they used PHP or not, but it does highlight how naive a lot of people in the RO community are concerning online security. This has also been my impression since joining the forums.

I feel like there are more examples, but I cant remember them. I have a terrible memory and I also don’t have any interest in keeping a log.

Which sites are these of which you speak?

Well, just within the short time that James has been around, we’ve had this and this — that’s not bad going in a couple of months…

that’s not bad going in a couple of months…

Although within a small community, that’s quite high especially in such a small timeframe. In a big community, 2 security breaches is the higher end or “normal” or expected amount of breaches for the year.

A website that is breached once a year is bad however. Or a website being breached more than once isn’t that normal either (unless several years are between breaches, then it could be a coincidence).

I’ve been having a good look at PHP. It would indeed be very easy to move everything I do with Javascript onto server side with PHP. There’s an obvious possible security hole in the straightforward implementation using $_SERVER["QUERY_STRING"], but it’s easily worked around just by validating the returned value before using it. Is there any less obvious hole I should be aware of before going ahead? On the face of it it would be a significant improvement to my site.

So far, I’m less convinced of the ease or benefit of getting rid of frames, but I’m willing to be persuaded.

I was under the distinct impression that Martin developed and maintained RISCOScode in bog standard HTML, not PHP.

Although within a small community, that’s quite high especially in such a small timeframe.

Um, yes. Apologies. There probably should have been a big “sarcasm” flag after that to make the meaning clear.

I was under the distinct impression that Martin developed and maintained RISCOScode in bog standard HTML, not PHP.

If it was in bog standard HTML, then “My father who ran the site had a lot of trouble keeping it secure” from here is a little puzzling.

I don’t know if PHP was used (and whether it affected the Piccolo site, either), but was simply responding to John’s assertion that no sites had encountered security issues recently.

If it was in bog standard HTML, then “My father who ran the site had a lot of trouble keeping it secure” from here is a little puzzling.

There are many ways into a site, and once an attacker has root privilege, the box is theirs. My site was compromised a few years back…maybe 2010 or so? As far as I could work out, it was a security flaw either in another site or NetBSD itself. Since it was running several sites as virtual hosting (not uncommon, my current server is running numerous other sites), once admin level rights had been secured, the filesystem was wide open and all of the sites got a nasty little iframe inserted into every page of HTML…

This goes back to what I said time and again. There is no such thing as absolute security, we just need to try our best and hope fixes turn up faster than the zero-days.