At 2007-09-05T22:42:17+1200, Volker Kuhlmann wrote: > Lousy apps written in php may be common, but my Linux vendor doesn't > update php on a frequent basis because of security bugs in the > applications written in php.
Sure, the PHP runtime is has had problems. I said that already. Here's an amusing recent example: http://use.perl.org/~Aristotle/journal/33448 In terms of exposure and potential damage, the security problems with the applications built in PHP are far worse (and more easily exploitable, in general) and more widespread than problems with the core runtime. > And if it's *that* difficult to write secure code in php, then that says > something about the language too (like it's a suboptimal choice for > security-cirtical web apps). Not so much the language as the library APIs, which can be a problem in any language if they're designed badly or encourage bad practices. > One hasn't heard a lot about sendmail for the past few years, but I hear > all the time about php. Was it "month of php bugs" lately? You haven't been listening very closely. Look at the CVE list for sendmail--there have been plenty in the past few years. Cheers, -mjg -- Matthew Gregan |/ /| [EMAIL PROTECTED]
