Programming/Scripting Resource
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Jan 11 22:50:06 UTC 2007
On Thu, Jan 11, 2007 at 10:34:43AM -0500, John Van Ostrand wrote:
> I don't think PHP is the problem. Its popularity combined with sloppy
> coding is the cause of the large number of exploits. The article even
> states this. Perhaps one can say that sloppy web coders choose PHP.
Being able to include() a url is just nuts. That should not be possible
by default, since a lots of programs have been exploited by being able
to specify which file to include, and as a result being able to make the
program execute code from another site entirely.
> It would be nice if a language made it easy to program more securely.
>
> Take one of the common exploits, SQL code injection. A programmer
> displays an HTML form, accepts data from it and uses that data in an SQL
> statement without checking.
>
> Aside from Perl (with non-default settings), what language helps to
> force the user to clean the data first?
Not very many unfortunately.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list