WebApp Sec mailing list archives
RE: Anyone have some basic security tips for PHP-programmers?
From: "Herbold, John W." <JWHERBOLD () arkbluecross com>
Date: Mon, 24 Nov 2003 08:50:26 -0600
First of all, PHP is a scripting language with built-in overflow checking.
But is it good enough to trust? I am guessing no, from the other post I have seen. My point still stands. Do your own error checking.
but PHP is NOT vulnerable to buffer overflows from PHP scripts
A quick search on Goggle for "PHP buffer overflow" shows otherwise.
Second of all, PHP is a scripting language (heard it before?), which means that the code doesn't GET compiled at all. It gets interpreted at run-time by a parsing engine, just like any other scripting language.
While I have not done very much PHP at all, I have done a lot of Perl. Perl, is also a "scripting language", and it can get compiled to EXE, so I would be willing to bet PHP can as well. Just because it is a scripting language does not mean that it can not compile to an exe. A quick search on goggle for "PHP to EXE" shows that yes, it can be compiled to an EXE. The memory comment goes with running the website off of a CD-Rom, yea it is a performance issue, but tied to a security issue. While there are many ways to deface a website, this would stop some of the most common ways. The idea of security is defense in depth. Nothing is 100% secure, and there is no one fix, so you add layers to weed out different attacks. It is up to you to balance the security, cost, and usability. Another standard suggestion is to get rid of any "example" scripts that came with your web server and languages, as they are another common entry point. Thanks, John W. Herbold Jr. Security Specialist
Current thread:
- RE: Anyone have some basic security tips for PHP-programmers?, (continued)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 24)
- Re: Anyone have some basic security tips for PHP-programmers? Andreas (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Sverre H. Huseby (Nov 25)