Re: [PHP] Who uses PHP
As has been said: It all depends on the developer. A skilled developer is not restrained by how secure the particular language is. A skilled developer will know the pitfalls of that language, and be able to avoid them. With php as an example, you have register_globals. Now, register_globals is NOT a bad thing. However, due to incompetent coders, it is one of the easiest exploits in many php applications. A skilled developer is able to work unconditional of weather register_globals is on on his/her server. - Craige On 2/3/07, Christopher Weldon [EMAIL PROTECTED] wrote: Well, if you do not know the answer to my particular question, I'm curious how might you respond to someone who says: PHP has to many security issues and should not be used with a user authentication system. We should use XXX. I think security mainly depends on the programmer and not on the language he uses... greets Zoltán Németh I totally agree. You are not allowed to say 'Well, you're wrong. PHP is as secure as anything else.' without explaining why. Or, would you agree with the statement? Is there an 'XXX' that should be used instead of PHP? Of course not. As Zoltan stated above, security is dependent upon the programmer and not the language. But, if you aren't familiar with why PHP is considered so insecure its a result of people who can't/ don't know how to properly program PHP applications. PHP is an easy programming language to learn quickly and hit the ground running. These people (typically) don't care to check to make sure writing something like: mysql_query('SELECT * FROM admins WHERE username = '.$_GET ['username'].' and password = '.$_GET['password'].''); is safe and secure. This is one of the bigger issues I've seen on some PHP applications. As you will (or perhaps already have read) on Chris S.'s site that a big thing to do in PHP apps is FIEO (Filter Input Escape Output). Applications written in this manner are insecure; PHP isn't what's insecure. However, with my limited Computer Science training, FIEO is something that should be done in any application under any programming language - for security's sake. So, rather than consider the difference in security of a programming language versus another, you should be asking the question What does PHP offer me that XXX doesn't?. Alternatively, if the person on the other end is still too concerned about security, then you should be considering How much easier is it for me to program secure applications in PHP than XXX? If you do it right from the start, you'll find that PHP does not make it difficult to write secure apps. Given the limited number of options for maintaining state information, I would be hard pressed to see how any language could be inherently more security or why one could not write PHP code which implemented the same techniques as 'XXX'. (No, I do not know what 'XXX' might be.) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Christopher Weldon President CEO Cerberus Interactive, Inc. [EMAIL PROTECTED] (866) 813-4603 x605 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
Well, if you do not know the answer to my particular question, I'm curious how might you respond to someone who says: PHP has to many security issues and should not be used with a user authentication system. We should use XXX. I think security mainly depends on the programmer and not on the language he uses... greets Zoltán Németh I totally agree. You are not allowed to say 'Well, you're wrong. PHP is as secure as anything else.' without explaining why. Or, would you agree with the statement? Is there an 'XXX' that should be used instead of PHP? Of course not. As Zoltan stated above, security is dependent upon the programmer and not the language. But, if you aren't familiar with why PHP is considered so insecure its a result of people who can't/ don't know how to properly program PHP applications. PHP is an easy programming language to learn quickly and hit the ground running. These people (typically) don't care to check to make sure writing something like: mysql_query('SELECT * FROM admins WHERE username = '.$_GET ['username'].' and password = '.$_GET['password'].''); is safe and secure. This is one of the bigger issues I've seen on some PHP applications. As you will (or perhaps already have read) on Chris S.'s site that a big thing to do in PHP apps is FIEO (Filter Input Escape Output). Applications written in this manner are insecure; PHP isn't what's insecure. However, with my limited Computer Science training, FIEO is something that should be done in any application under any programming language - for security's sake. So, rather than consider the difference in security of a programming language versus another, you should be asking the question What does PHP offer me that XXX doesn't?. Alternatively, if the person on the other end is still too concerned about security, then you should be considering How much easier is it for me to program secure applications in PHP than XXX? If you do it right from the start, you'll find that PHP does not make it difficult to write secure apps. Given the limited number of options for maintaining state information, I would be hard pressed to see how any language could be inherently more security or why one could not write PHP code which implemented the same techniques as 'XXX'. (No, I do not know what 'XXX' might be.) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Christopher Weldon President CEO Cerberus Interactive, Inc. [EMAIL PROTECTED] (866) 813-4603 x605 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
On Thu, February 1, 2007 9:19 am, Eric Gorr wrote: Well, if you do not know the answer to my particular question, I'm curious how might you respond to someone who says: PHP has to many security issues and should not be used with a user authentication system. We should use XXX. You go ahead and use XXX, because obviously the person making the statement is so clueless that any rational discussion is moot. Or, you quit that job and find a smarter boss. :-) -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
Eric Gorr wrote: I've heard some concern expressed that PHP might be more insecure then other methods of developing website where security was of prime importance. Now, I personally do not believe this, but it would help me to convince others if I could point to major sites, where security (mostly with respect to the user authentication system) was extremely important (financial sites, etc.) and where PHP was the primary development platform. google, yahoo. for the rest search Zend.com or your favorite sdearch engine Thank you. --PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Who uses PHP
[snip] I've heard some concern expressed that PHP might be more insecure then other methods of developing website where security was of prime importance. Now, I personally do not believe this, but it would help me to convince others if I could point to major sites, where security (mostly with respect to the user authentication system) was extremely important (financial sites, etc.) and where PHP was the primary development platform. [/snip] Google for one. I am pretty sure Yahoo. Also, check out http://www.shiflett.org as Chris is one of if not the leading expert in security with PHP. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
On Feb 1, 2007, at 9:47 AM, Jochem Maas wrote: Eric Gorr wrote: I've heard some concern expressed that PHP might be more insecure then other methods of developing website where security was of prime importance. Now, I personally do not believe this, but it would help me to convince others if I could point to major sites, where security (mostly with respect to the user authentication system) was extremely important (financial sites, etc.) and where PHP was the primary development platform. google, yahoo. For their user authentication system? Session management? Everything? Don't suppose there would be any URL (press release, just general info, etc.) with that information? for the rest search Zend.com or your favorite sdearch engine Thanks. While zend.com, etc. will tell me who is using PHP, they do not generally state exactly how it is being used and, as much as the who, it is the how that is important. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
On Feb 1, 2007, at 9:50 AM, Jay Blanchard wrote: Also, check out http://www.shiflett.org as Chris is one of if not the leading expert in security with PHP. Great site. thank you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
On 2/1/07, Eric Gorr [EMAIL PROTECTED] wrote: On Feb 1, 2007, at 9:50 AM, Jay Blanchard wrote: Also, check out http://www.shiflett.org as Chris is one of if not the leading expert in security with PHP. Great site. thank you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://afup.org/IMG/flickr_php.pdf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
Eric Gorr wrote: On Feb 1, 2007, at 9:47 AM, Jochem Maas wrote: Eric Gorr wrote: I've heard some concern expressed that PHP might be more insecure then other methods of developing website where security was of prime importance. Now, I personally do not believe this, but it would help me to convince others if I could point to major sites, where security (mostly with respect to the user authentication system) was extremely important (financial sites, etc.) and where PHP was the primary development platform. google, yahoo. For their user authentication system? Session management? Everything? Don't suppose there would be any URL (press release, just general info, etc.) with that information? for the rest search Zend.com or your favorite sdearch engine Thanks. While zend.com, etc. will tell me who is using PHP, they do not generally state exactly how it is being used and, as much as the who, it is the how that is important. ah right - please ignore my post - I wasn't really reading your question properly, my apologies --PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
On Feb 1, 2007, at 10:06 AM, Jochem Maas wrote: Eric Gorr wrote: On Feb 1, 2007, at 9:47 AM, Jochem Maas wrote: Eric Gorr wrote: I've heard some concern expressed that PHP might be more insecure then other methods of developing website where security was of prime importance. Now, I personally do not believe this, but it would help me to convince others if I could point to major sites, where security (mostly with respect to the user authentication system) was extremely important (financial sites, etc.) and where PHP was the primary development platform. google, yahoo. For their user authentication system? Session management? Everything? Don't suppose there would be any URL (press release, just general info, etc.) with that information? for the rest search Zend.com or your favorite sdearch engine Thanks. While zend.com, etc. will tell me who is using PHP, they do not generally state exactly how it is being used and, as much as the who, it is the how that is important. ah right - please ignore my post - I wasn't really reading your question properly, my apologies Well, if you do not know the answer to my particular question, I'm curious how might you respond to someone who says: PHP has to many security issues and should not be used with a user authentication system. We should use XXX. You are not allowed to say 'Well, you're wrong. PHP is as secure as anything else.' without explaining why. Or, would you agree with the statement? Is there an 'XXX' that should be used instead of PHP? Given the limited number of options for maintaining state information, I would be hard pressed to see how any language could be inherently more security or why one could not write PHP code which implemented the same techniques as 'XXX'. (No, I do not know what 'XXX' might be.) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
On cs, 2007-02-01 at 10:19 -0500, Eric Gorr wrote: On Feb 1, 2007, at 10:06 AM, Jochem Maas wrote: Eric Gorr wrote: On Feb 1, 2007, at 9:47 AM, Jochem Maas wrote: Eric Gorr wrote: I've heard some concern expressed that PHP might be more insecure then other methods of developing website where security was of prime importance. Now, I personally do not believe this, but it would help me to convince others if I could point to major sites, where security (mostly with respect to the user authentication system) was extremely important (financial sites, etc.) and where PHP was the primary development platform. google, yahoo. For their user authentication system? Session management? Everything? Don't suppose there would be any URL (press release, just general info, etc.) with that information? for the rest search Zend.com or your favorite sdearch engine Thanks. While zend.com, etc. will tell me who is using PHP, they do not generally state exactly how it is being used and, as much as the who, it is the how that is important. ah right - please ignore my post - I wasn't really reading your question properly, my apologies Well, if you do not know the answer to my particular question, I'm curious how might you respond to someone who says: PHP has to many security issues and should not be used with a user authentication system. We should use XXX. I think security mainly depends on the programmer and not on the language he uses... greets Zoltán Németh You are not allowed to say 'Well, you're wrong. PHP is as secure as anything else.' without explaining why. Or, would you agree with the statement? Is there an 'XXX' that should be used instead of PHP? Given the limited number of options for maintaining state information, I would be hard pressed to see how any language could be inherently more security or why one could not write PHP code which implemented the same techniques as 'XXX'. (No, I do not know what 'XXX' might be.) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
On Thu, 2007-02-01 at 10:19 -0500, Eric Gorr wrote: Well, if you do not know the answer to my particular question, I'm curious how might you respond to someone who says: PHP has to many security issues and should not be used with a user authentication system. We should use XXX. You are not allowed to say 'Well, you're wrong. PHP is as secure as anything else.' without explaining why. Or, would you agree with the statement? Is there an 'XXX' that should be used instead of PHP? For the most part, any program in a mature language is as secure as the least competent coder that worked with it. Following from that, if your developers are competent, you are less likely to have security problems. PHP provides all the tools necessary to write very secure applications, most of the problems in the wild are due to incompetence especially as relates to popular packages (such as PHPBB). Given the limited number of options for maintaining state information, I would be hard pressed to see how any language could be inherently more security or why one could not write PHP code which implemented the same techniques as 'XXX'. Some languages provide features that essentially tie the developer's hands behind their back and make it more difficult to introduce security flaws. This idealogy only has limited success because no matter how intelligent you think your language is, there is almost certainly a human of marvellous counter intelligence that will do something stupid... often by force of will. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Who uses PHP
Eric Gorr wrote: PHP has to many security issues and should not be used with a user authentication system. We should use XXX. Well, people's complaints about PHP probably stem from some security pitfalls built-in for simplicity's sake. (The most common being register_globals.) For that reason, I strongly agree with the general sentiments of many posters: code is as secure as the least capable developer can make it. I write code in C, python, Perl, PHP, Java, C#, JavaScript, etc, etc... I don't find PHP to be inherently less secure than any other language. I've recently run into a company that has a payment web service that handles outgoing transactions. They have a hole in their system that could be used to rip off e-commerce sites accross the internet. (Site thinks the person has paid, where they have not.) Their code is written in ASP. Is it ASP's fault? No. It's the programmers who failed to recognize the hole in their protocol. jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php