Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scripting Languages and Secure Coding

From: Bob Toxen <bob () verysecurelinux com>
Date: Thu, 04 Dec 2003 15:06:51 +0000
On Wed, Dec 03, 2003 at 09:20:03AM -0800, Jeremy Thibeaux wrote:

I would look at this differently.

...

I am not aware of any buffer overload problems with
PHP >=4.2.2...



The reason why you won't see security notices for C
(or perhaps Perl), is that they leave it entirely up
to you to make your own mistakes.  One will likely
find security problems in reusable C or Perl
components if they end up as abundantly tested as PHP.
 Not to mention that PHP includes a ridiculous amount
of functionality.

...
Frankly, I think your email strengthens my case that PHP itself is
too buggy to be used for "high security" trusted applications.
The C compiler and popular C library routines do not have bugs both
because they are very carefully tested and because they are not changed
much and because they have been thought out very carefully over
30 years.

When PHP has less than 1 significant security bug per year for 2-3
years I'll consider it safe for use.  Unlike C and Apache, one
does not HAVE to use PHP in their system.


Jeremy Thibeaux
Lucid Factory, inc.


Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"
http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
[EMAIL PROTECTED] (e-mail)
Previous By Date Next
Previous By Thread Next

Current thread: