Quoting Dr. Larry Ozeran (loze...@clinicalinformatics.com): > Rick, thanks again for your insights.
You are most welcome. > You are, of course, correct that we would not redesign our software > without a significant and deep assessment of benefits and costs > (money, time, resources, etc.). Most of the PHP, MySQL, and related > code has been developed in house. I probably coded 10-15% myself. > The intent of my comment was simply to indicate that we do not > blindly accept that there is no better option than what we are > doing. If there are strong arguments to support considering making a > switch, I would not exclude that possibility without reviewing the > pros and cons simply because we have a large legacy investment. I > consider your response (below) to fall into the 'cons' (to > switching) category and will definitely compare your PHP security > recommendations against what we currently are and are not doing. I am very glad to be of help -- and certainly was trying to be at pains to avoid advising anyone to merely redesign, especially without knowledge of the particulars. My own disaffection with PHP was markedly increased when I boarded a cruise ship with my wife from San Francisco to Sydney, and right on the day of my departure my logcheck reports started indicating a serious attempt to break security on my server via (what turned out to be) mod_php -- exactly at a time when I had just boarded an ocean vessel with only satellite Internet at very high prices. Somehow with a painfully thin straw of ssh bandwidth and only one hour of high-latency, low-reliability Internet access each evening, I was able to kludge together a lockout of the kiddies within a couple of days and before they were able to compile an exploit kit. When I reached Sydney, one of the first things I did from my hotel room was rip out the last bits of public-facing PHP exposure so I'd never have to worry about that again. My _own_ view is that PHP is entirely too much like the scenario Marcus Ranum described in his rather caustic 'What Sun Tsu Would Say' essay, i.e., as Ranum phrases it, 'If patching hasn't been working, why are we still doing it?' I stopped needing to apply the PHP patch du jour by no longer exposing it to public networks. But whatever works for you is of course great. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
