Re: Securing PHP or finding PHP alternatives

[Crispin Cowan <crispin () novell com>]

Gezim Hoxha wrote:
> With all that's been said in this thread, and all that has been observed
> (i.e. a large number of PHP vulnerabilities--please don't try and defend
> this; the common thing that everyone agrees on is that PHP tries to
> cater to all users (not necessarily programmers, which can make it
> insecure), I'm going to ask two questions:
>
> 1.) If I have to write PHP, how do I write secure PHP? Give me a number
> of ensures that I can follow and check-mark each and live a happy
> life--for the most part.
>   
Program defensively:

    * validate all inputs
          o use a white-list, not a black-list
    * check all parameters
    * check all return/error codes
    * handle all exceptions

Test your system:

    * check for SQL injection vulnerabilities
    * check for XSS

Wrap it in AppArmor http://en.opensuse.org/AppArmor for when you screw
up ^W^W don't do all the above perfectly.

> 2.) From a security standpoint what is a better, open-source replacement
> to PHP?
>   
Ruby, Python, Java, C#, all of which are type safe, and therefore much
more secure. All have open source implementations, including C#
http://www.mono-project.com/Main_Page

Crispin

-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
     Necessity is the mother of invention ... except for pure math