From: "Galbreath, Mark A" <[EMAIL PROTECTED]>

> Does anybody know if the security issues outlined in
>
> http://www.securereality.com.au/archives/studyinscarlet.txt
>
> are still salient or not?  My boss wants a technical document outlining
the
> security risks of using PHP in an attempt to get it approved for general
use
> by Security.  I just bought Mohammed Kabir's "Secure PHP Development"
(Wiley
> 2003) but would like some background white papers before delving into it.
> To that end, I'm using Google, but would appreciate references to any
recent
> documents covering the subject.

Yes, they are still relevant for the most part. There have been actions
taken to reduce some of them, though, like having register_globals OFF by
default, the move_uploaded_file() function, etc.

I would contend that these "security issues" are the fault of bad
programming, though, not the language. Some could argue that the langauge
should do more to get rid of these issues by default, though. I can't say
that I'd disagree with that, but I'd still hold the programmers responsible
instead of the language.

Bottom line, if you've actually read that page and implement what it says,
then you'll be fine. You can write completely safe programs without taking
any of the "protective" measures outlined on the site, though. You just have
to know what you're doing.

---John Holmes...

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to