Bugtraq mailing list archives
Re: Securing PHP or finding PHP alternatives
From: Crispin Cowan <crispin () novell com>
Date: Mon, 10 Jul 2006 10:37:16 -0700
Gezim Hoxha wrote:
With all that's been said in this thread, and all that has been observed (i.e. a large number of PHP vulnerabilities--please don't try and defend this; the common thing that everyone agrees on is that PHP tries to cater to all users (not necessarily programmers, which can make it insecure), I'm going to ask two questions: 1.) If I have to write PHP, how do I write secure PHP? Give me a number of ensures that I can follow and check-mark each and live a happy life--for the most part.
Program defensively: * validate all inputs o use a white-list, not a black-list * check all parameters * check all return/error codes * handle all exceptions Test your system: * check for SQL injection vulnerabilities * check for XSS Wrap it in AppArmor http://en.opensuse.org/AppArmor for when you screw up ^W^W don't do all the above perfectly.
2.) From a security standpoint what is a better, open-source replacement to PHP?
Ruby, Python, Java, C#, all of which are type safe, and therefore much more secure. All have open source implementations, including C# http://www.mono-project.com/Main_Page Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Necessity is the mother of invention ... except for pure math
Current thread:
- Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof)) Gezim Hoxha (Jul 10)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 10)
- Re: Securing PHP or finding PHP alternatives SkyFlash (Jul 15)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 18)
- Re: Securing PHP or finding PHP alternatives Sheryl Coppenger (Jul 15)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 22)
- Re: Securing PHP or finding PHP alternatives Michael Cordover (Jul 22)
- Re: Securing PHP or finding PHP alternatives SkyFlash (Jul 15)
- Re: Securing PHP or finding PHP alternatives Michael Shigorin (Jul 15)
- Re: Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof)) Matthias Kestenholz (Jul 15)
- Re: Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof)) Meet Myself on the Internet (Jul 15)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 10)