OT: Website CMS
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Mon Aug 24 21:06:57 UTC 2009
On Mon, Aug 24, 2009 at 02:39:45PM -0400, CLIFFORD ILKAY wrote:
> Perhaps it's because they're written in a language with a notoriously
> poor track record. In the article "Risk report: Four years of Red Hat
> Enterprise Linux 4"
> <http://magazine.redhat.com/2009/03/10/risk-report-four-years-of-red-hat-enterprise-linux-4/>,
> you'll notice that only one language gets a category onto itself, PHP.
I love using PHP for little web pages. I am also very aware of just
how easy it is to create a security disaster using PHP if you don't know
what you are doing and try to be clever.
For example something a "clever" person might try:
$pagetype = $_GET['pagetype'];
include($pagetype);
...
Of course their other page would have a menu passing in a fed different
page types to then include the code for that pagetype in the right place.
Unfortunately (and conveniently in some cases I suppose), python permits things such as:
include("http://mysite.com/somecode.php");
Add that to the above, and see what you just did. Scary.
The fact in old php4 versions all POST/GET arguments were automatically
turned into global variables of the same name... yikes. Doesn't do that
anymore fortunately.
Still a nice language though. Just dangerous if you don't know what
you are doing.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list