Bugtraq mailing list archives
Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof))
From: Gezim Hoxha <gezimetc () shaw ca>
Date: Fri, 07 Jul 2006 20:48:20 -0600
On Tue, 2006-27-06 at 07:41 -0400, Geo. wrote:
Is php secure by default when it's installed on a server?This question does not really have any meaning. If you ask, if php _applications_ are secure by default, the answer is of course "it depends" (most php applications are broken. Just do a "grep -R eval ." and see for yourself) The php safe_mode is not really safe. magic_quotes_gpc is broken by design. Where does that leave us? Write secure code, validate all input or get hacked, as is the case with every other software/language.It's not a meaningless question, it's a quite valid way to look at web server extensions. You make it sound oh so simple "write secure code" but I've been a hacker since 1980 when I wrote a bbs program in assembler and tried to secure it. Writing secure code is anything but simple. It takes a really good programmer to write code that is secure by design because you have to understand exactly how the language and in some cases the hardware you use functions. A language for websites should never expect to have this level programmers, heck it's a bunch of artsy web developers who are going to be using it so it should take that into account and allow the machine administrator to at least be locked down at the start so he has to enable the features and only those features the web developers require. It's the only way to make a powerful web language and still maintain some semblance of security.
With all that's been said in this thread, and all that has been observed (i.e. a large number of PHP vulnerabilities--please don't try and defend this; the common thing that everyone agrees on is that PHP tries to cater to all users (not necessarily programmers, which can make it insecure), I'm going to ask two questions: 1.) If I have to write PHP, how do I write secure PHP? Give me a number of ensures that I can follow and check-mark each and live a happy life--for the most part. 2.) From a security standpoint what is a better, open-source replacement to PHP? Thanks, -Gezim P.S.: This is my first bugtraq message, so take it easy on me :)
Current thread:
- Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof)) Gezim Hoxha (Jul 10)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 10)
- Re: Securing PHP or finding PHP alternatives SkyFlash (Jul 15)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 18)
- Re: Securing PHP or finding PHP alternatives Sheryl Coppenger (Jul 15)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 22)
- Re: Securing PHP or finding PHP alternatives Michael Cordover (Jul 22)
- Re: Securing PHP or finding PHP alternatives SkyFlash (Jul 15)
- Re: Securing PHP or finding PHP alternatives Michael Shigorin (Jul 15)
- Re: Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof)) Matthias Kestenholz (Jul 15)
- Re: Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof)) Meet Myself on the Internet (Jul 15)
- Re: Securing PHP or finding PHP alternatives Crispin Cowan (Jul 10)