From: "Galbreath, Mark A" <[EMAIL PROTECTED]> > Does anybody know if the security issues outlined in > > http://www.securereality.com.au/archives/studyinscarlet.txt > > are still salient or not? My boss wants a technical document outlining the > security risks of using PHP in an attempt to get it approved for general use > by Security. I just bought Mohammed Kabir's "Secure PHP Development" (Wiley > 2003) but would like some background white papers before delving into it. > To that end, I'm using Google, but would appreciate references to any recent > documents covering the subject.
Yes, they are still relevant for the most part. There have been actions taken to reduce some of them, though, like having register_globals OFF by default, the move_uploaded_file() function, etc. I would contend that these "security issues" are the fault of bad programming, though, not the language. Some could argue that the langauge should do more to get rid of these issues by default, though. I can't say that I'd disagree with that, but I'd still hold the programmers responsible instead of the language. Bottom line, if you've actually read that page and implement what it says, then you'll be fine. You can write completely safe programs without taking any of the "protective" measures outlined on the site, though. You just have to know what you're doing. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php