Programming/Scripting Resource

John Van Ostrand john-Da48MpWaEp0CzWx7n4ubxQ at public.gmane.org
Thu Jan 11 15:46:09 UTC 2007 

On Thu, 2007-01-11 at 10:34 -0500, John Van Ostrand wrote:

> On Thu, 2007-01-11 at 10:06 -0500, Lennart Sorensen wrote:
> > I like php.  Nice easy to use web programming language.  However
> > security really has been a disaster for it.  For example an article from
> > today:
> 
> > http://www.theregister.co.uk/2007/01/11/php_apps_security/
> > 
> > Rather scary.  Easy to use and not secure by design, means people who
> > don't understand security issues will still be able to make programs
> > that they believe are working just fine.  Bad idea.
> 
> I don't think PHP is the problem. Its popularity combined with sloppy
> coding is the cause of the large number of exploits. The article even
> states this. Perhaps one can say that sloppy web coders choose PHP.
> 
> It would be nice if a language made it easy to program more securely.
> 
> Take one of the common exploits, SQL code injection. A programmer
> displays an HTML form, accepts data from it and uses that data in an SQL
> statement without checking.
> 
> Aside from Perl (with non-default settings), what language helps to
> force the user to clean the data first?


I should have read more deeply into that article. PHP can do a lot more
to be secure and that is evident from the Suhosin project.  There are
far more exposed vulnerabilities than I realized. It looks like Suhosin
has experimental support for SQL code injection problems like what I
mentioned.

-- 
John Van Ostrand
         Net Direct Inc.
 
CTO, co-CEO
564 Weber St. N. Unit 12
   Waterloo, ON N2L 5C6 
 map 
john-Da48MpWaEp0CzWx7n4ubxQ at public.gmane.org
        Ph: 519-883-1172
 ext.5102
Linux Solutions / IBM
Hardware
        Fx: 519-883-8533
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20070111/33e35068/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://gtalug.org/pipermail/legacy/attachments/20070111/33e35068/attachment.sig>

More information about the Legacy mailing list