On Sat, Jul 26, 2003 at 05:13:28PM -0500, Nick Reinking wrote:
On Sun, Jul 27, 2003 at 12:07:39AM +0200, Tomasz Wegrzanowski wrote:
On Sat, Jul 26, 2003 at 05:00:50PM -0500, Nick Reinking wrote:
I think we would be better off cleaning up the admittedly messy PHP code and possibly adding in my C parser (if I ever get around to getting the ugly list syntax working).
If someone doesn't understand this yet: NO C CODE SHOULD BE USED ON WIKIPEDIA EVER
It's suicidally insecure.
That's rediculous - just because C can be insecure doesn't mean it has to be. We rely on PHP every day, which, surprise surprise, is written in C. What do you think PHP is? It's just a C program that interprets specially formatted HTML and runs a bunch of internal C functions. As such, it is just as suspect to buffer overflows and what-not as any custom written C code that we might write.
Many people thought they are wise enough not to do any such mistake, and they have been all proven wrong. Even such security paranoids as OpenBSD people.
We are using C code all the time, but this code have been checked by thousands of people, and despite this, stack and heap overflows are being found in it all the time.
Risk is too high, and benefit is too small.
Anyway, lex and yacc are available for almost all languages, that's no excuse for using C.