At 11:28 PM 12/20/2001 -0500, Billy Harvey wrote:
> > is a very popular database of linux software and includes a
> > wide variety of PHP scripts.  My point was that if you downloaded an
> > insecure script from such a popular site then you are asking for trouble
> > because chances are thousands of would-be hackers have ALSO downloaded the
> > same script and have familiarized themselves with ways that it can be
> > exploited...
>So would you rather just use pre-compiled binaries from some company
>that says "trust me"?

Sigh.  No.  The thread has meandered quite a bit, and you'd have to read 
the whole thing to see how we got to this point.  To summarize:

Someone made the point that you should always carefully check user 
submitted data, and provided an example using an poorly secured fopen() 
statement whereby a hacker could gain access to /etc/passwd.  I responded 
by saying that to do such a thing the hacker would have to know exactly how 
your code is written.  Someone else responded saying that this was indeed 
likely in shared hosting environments or open source software.  The above 
is me agreeing and saying "oh I didn't think of that"  Nowhere did I say 
that I think this is a disadvantage of OSS.

If you wish to extrapolate an argument from what I wrote above then here's 
a good one:  When you install software that could be a potential security 
risk then you should attempt to use well established, peer-reviewed OPEN 
SOURCE software and ideally review at the code yourself to make sure it 
meets your standards of security and doesn't contain any nasty exploits.

See, I'm one of the good guys...a dot communist, just like you. ;-)

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to