On Sat, Nov 26, 2005 at 09:36:46AM -0700, Darrin Chandler wrote: > But this isn't really a perl problem, or a php problem. It's possible to > write secure code in many environments, but it's not easy. Most cms > developers worry more about having tons of features than about secure > code. "Security" is tacked on as an afterthought, which doesn't work.
This is only partly true. The "modern" scripting languages themselves do not provide services that enforce software quality. The rejection to integrate "bondage and discipline" into scripting languages and instead the addition of multiple levels of "syntactic sugar" opens the door for security issues. Most languages lack basic software engineering technology like strong type systems, data type definitions or a clear separation of code and data. It is very nice to see that most scripting language offer a tight integration of dynamic data structures, which reduces the problem of buffer overflows significantly. On the other hand, the number of "code injection" bugs in web-based applications is alarming. It might seen that code injection is the buffer overflow of the future. Bernd [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
