OK, does anyone else see this? Paul and Ben are saying exactly the same thing: It's a matter of bad programming, not a bad programming language. Now, the truly amazing thing is that Paul and Ben actually agree on something. The slightly less astounding fact is that they are *STILL* arguing, despite the fact that they agree...
Anywho.... PHP, like Perl, like C, like any other language will have security holes as long as people write sloppy code. It is a fact of nature. Yes, PHP has some problems. However, those problems aren't an issue until someone goes and does something stupid like write bad code that leaves the hole vulnerable. The same is true for Perl (see http://www.coconut-palm-software.com/~perlintro/cgi-security.html). A great example is "Matt's Script Archive". Great programs. *BAAAAD* programming. There are all sorts of holes in most of the Perl scripts found there. This is why there are 200 Perl-related vulnerability checks in Nessus. There is no such thing as a "secure" language. The language of and by itself does nothing. It is not secure or insecure. It is the person writing the code. Thus buffer overflows, stack-smashing, elevated rights, etc. C-Ya, Kenny Quoting [EMAIL PROTECTED]: > > In a message dated: Thu, 07 Mar 2002 00:03:30 EST > Benjamin Scott said: > > > I note that Perl's CGI module has an identical feature (the ability > to set > >language variables from an HTML form). Still does, AFAIK. I'm not > trying > >to compare Perl to PHP here, just point out that tools that allow you > to do > >stupid things are not limited to PHP. > > Ahm, why is this a stupid thing? How else do you get data into a CGI > from a web page? Just because you're taking data in from the outside > and setting a variable to the value entered in a form isn't, in and > of itself, a stupid thing. It's what you do, or rather, don't do > with that data after you have it that makes it dangerous. > > Once you take "tainted" data in, you must jump through hoops to > "de-taint" it. Just blindly accepting the value from an HTML form > and using it "as is" is stupid, but that's a programming practice > that's stupid, not a language design issue. > > Please clarify if I'm misunderstanding what you're talking about. > > > ***************************************************************** > To unsubscribe from this list, send mail to [EMAIL PROTECTED] > with the text 'unsubscribe gnhlug' in the message body. > ***************************************************************** > --------------------------------------------------------- "There's nothing you shouldn't speak of if you've got something to say, and there's no one to be scared of, just get them out of your way." -- The Alarm ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
