-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, Benjamin Scott hath spake thusly: > > There are also some earlier advisories which complain about the design of > > PHP encouraging the development of insecure code. It seems that writing > > secure PHP scripts is also very difficult, and there are quite number of > > advisories for software written in PHP, which are not necessarily the > > fault of PHP, but perhaps encouraged by the design of PHP. > > Okay, with all due respect, that is pure FUD. Yes, FUD -- Fear, > Uncertainty, and Doubt. "There isn't really anything wrong here, but if you > use it, you will be burned, just because." You can make the same argument > for Unix, C, Perl Java, the Internet, computers in general...
...except that the developers agreed. And they've in fact made design changes to reduce the negative impact of those original design decisions, and in Dec 2001 released an advisory to that effect. > > You have to worry about security problems in the software written using > > PHP, as well as those of PHP itself. > > Again: This is true for *anything*. Except Ben, that what I'm saying is that PHP isn't mature enough (IMO) to depend upon its security. I'm not saying that it can't and never will be mature enough. Just that it isn't right now. Many other languages have already gone through this maturation process, and their pitfalls are well understood. Perl is a good example. Sure, coding in Perl does not guarantee that your CGI programs will be bulletproof, but safe coding practices under Perl are fairly well understood. As recently as this past December, the very developers of PHP were in agreement with those who felt that the same was not true of PHP. > > For example, Perl has zero reported vulnerabilities over the same period > > of time, and only one report of a vulnerability in software written in it > > (a file disclosure bug caused by bad input validation). > > Whoa! Were you not around a few years ago, when finding holes in popular > Perl CGI scripts was practically a daily occurrence? See above. > > I stand by what I said: if you're using PHP, it is my opinion that you're > > better off from a security standpoint using something else. > > I think the problem you are seeing is that your average web designer > cannot code worth a damn. I definitely agree that this is a huge factor. But that does not go very far to explain why there have been reletively few Perl-related advisories recently as compared to PHP-related advisories. Has the web community abandoned Perl in favor of PHP? I seriously doubt it. Does it mean that no one is looking at the code of Perl to find holes? Given how many machines have Perl installed these days, I doubt that too. I believe that it is because Perl is mature, and PHP isn't. You're welcome to disagree with me. - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hZSTdjdlQoHP510RAoJBAJ41OXQK5tuMU4A6xcAgkRW2zzJcOACgjztE vNlhkpN8NApqMSk3ApC46vY= =tmqr -----END PGP SIGNATURE----- ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
