another 2c worth...
So it's the programmer's responsibility to ensure all his/her code is as
secure as possible. If it can be shown that it isn't secure, then the
programmer should endevour to close that hole.
This goes for any area that hackers can exploit, software and hardware...
From: Michael Sims [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 21, 2001 3:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: Mommy, is it true that...?
At 11:28 PM 12/20/2001 -0500, Billy Harvey wrote:
> > Freshmeat.net is a very popular database of linux software and includes
> > wide variety of PHP scripts. My point was that if you downloaded an
> > insecure script from such a popular site then you are asking for trouble
> > because chances are thousands of would-be hackers have ALSO downloaded
> > same script and have familiarized themselves with ways that it can be
> > exploited...
>So would you rather just use pre-compiled binaries from some company
>that says "trust me"?
Sigh. No. The thread has meandered quite a bit, and you'd have to read
the whole thing to see how we got to this point. To summarize:
Someone made the point that you should always carefully check user
submitted data, and provided an example using an poorly secured fopen()
statement whereby a hacker could gain access to /etc/passwd. I responded
by saying that to do such a thing the hacker would have to know exactly how
your code is written. Someone else responded saying that this was indeed
likely in shared hosting environments or open source software. The above
is me agreeing and saying "oh I didn't think of that" Nowhere did I say
that I think this is a disadvantage of OSS.
If you wish to extrapolate an argument from what I wrote above then here's
a good one: When you install software that could be a potential security
risk then you should attempt to use well established, peer-reviewed OPEN
SOURCE software and ideally review at the code yourself to make sure it
meets your standards of security and doesn't contain any nasty exploits.
See, I'm one of the good guys...a dot communist, just like you. ;-)
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]