On Tue 2006-08-15 (11:52), Eric Larson wrote: > On 8/15/06, Karl Guertin <[EMAIL PROTECTED]> wrote: > > > > Security: > > JSP - don't know > > PHP - poor (sqlinjection mostly) > > I think this is an extremely poor argument. If you trust Apache and consider > the opportunity for SQL Injection, then it can be very secure. Of course > Apache configurations can be too open, but overall, it is safe to say that > Apache can be very secure.
PHP does make doing certain aspects of security right a lot harder than it ought to be, especially when dealing with external process execution. Almost every programming language on the planet that offers the ability to execute an external program allows for you to not go via the shell. PHP, unfortunately, doesn't. Which means you have to put quite a bit of effort into making sure you've escaped something correctly for the shell in use (normally /bin/sh or Windows cmd.exe, but who knows really?). It's not fair comparing a programming language with a framework, though. Neil -- Neil Blakey-Milner [EMAIL PROTECTED] http://mithrandr.moria.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
