Geo. ha scritto: >>> 2) That said program can protect itself against overtly malicious input. > Ok then, I can mark you down as one who believes that all the php exploits > blamed on bad code writing are actually the fault of php and not the > application coded using it's powerful functionality?
No no, mark *me*. PHP is the language... ... that didn't support prepared SQL statements until *revision 5* ... whose syntax can be changed arbitrarily by configuration ... whose applications can, by default, have their code arbitrarily overwritten by environment variables and user input ... that doesn't have a "text string" data type, despite being expected to output text by default ... whose "faux text string" type is counted and NUL-terminated at the same time, inspiring the misguided belief that they can be safely passed by pointer to external libraries written in C. Never mind the embedded NULs, what about encoding issues? ... where the "0" string counts as "false" ... meant for web application development, but without any shape, form or sort of security model, outside of global policies. Even Netscape's server side Javascript had data tainting, god damn it ... that makes auditing impossible by allowing three or four different semantics for any dangerous operation (file I/O, process creation...), some of which overloads of generic functions ... without structured error handling ... without a library model PHP promotes piecemeal development of shoddy throw-away applications pretty much by design, and it does so proudly. No coincidence that it was mated to MySQL, of all databases. They're like the Britney Spears and K-Fed of web applications I mean, have you ever seen an ASP, ASP.NET or Java EE application mangle your single quotes and backslashes? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/