Programming/Scripting Resource
Andrej Marjan
amarjan-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org
Thu Jan 11 16:31:42 UTC 2007
John Van Ostrand wrote:
> I should have read more deeply into that article. PHP can do a lot
> more to be secure and that is evident from the Suhosin project. There
> are far more exposed vulnerabilities than I realized. It looks like
> Suhosin has experimental support for SQL code injection problems like
> what I mentioned.
Indeed, PHP is a security nightmare -- it requires a fair amount of
skill and experience in the programmer to overcome the many security
design defects in the language. The language's human factors are
optimized to getting something working quickly, and *against* getting
something working securely.
That's why it's a horrible first programming language: it teaches
terrible practices, but it allows the newbie to build something
*useful*, so the newbie becomes highly resistant to learning how to do
things *right*. After all, the app works, doesn't it? Never mind that
the app compromises the newbie's data, the server the app runs on, and
the Internet at large (much like the unsecured Windows machine the
newbie uses).
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list