On Thu, Mar 1, 2012 at 4:18 PM, John Crenshaw <johncrens...@priacta.com> wrote: > No, you've misunderstood. The average new not-really-a-developer has no > concept of security. Every SQL query they write is vulnerable to injection. > Every echo exposes their site to XSS vulnerabilities. Every form is > vulnerable to CSRF. If they did anything with files in their script I may be > able to read arbitrary files to their server and/or upload and execute > arbitrary scripts. If they used eval() or system() I can probably execute > arbitrary shell code and take control of the entire site. If their server is > badly configured I could capture the entire machine. >
PHP is as vulnerable as you make it, > This isn't a question of keeping software updated and not using deprecated > functions, this is a question of discipline that is completely missing among > the "unwashed masses" as you call them. The intuitive way to handle many of > the most common PHP tasks is also the completely insecure way. > Philosophically, I wonder if we do a great disservice by encouraging these > people to tinker with code at all. We do so knowing (or at least we should > know) that anything they create will inevitably be hacked. We fuel the > widespread security problems that currently plague the web. > > John Crenshaw > Priacta, Inc. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
