Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27371 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24831 invoked by uid 1010); 11 Jan 2007 17:11:53 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 24816 invoked from network); 11 Jan 2007 17:11:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2007 17:11:53 -0000 Authentication-Results: pb1.pair.com header.from=addw@phcomp.co.uk; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=addw@phcomp.co.uk; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain phcomp.co.uk designates 213.152.38.186 as permitted sender) X-PHP-List-Original-Sender: addw@phcomp.co.uk X-Host-Fingerprint: 213.152.38.186 freshmint.phcomp.co.uk Linux 2.5 (sometimes 2.4) (4) Received: from [213.152.38.186] ([213.152.38.186:62078] helo=mint.phcomp.co.uk) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6E/01-15642-8DF66A54 for ; Thu, 11 Jan 2007 12:11:53 -0500 Received: from addw by mint.phcomp.co.uk with local (Exim 4.66) (envelope-from ) id 1H53Sy-0008Ue-3h; Thu, 11 Jan 2007 17:11:52 +0000 Date: Thu, 11 Jan 2007 17:11:52 +0000 To: Ilia Alshanetsky Cc: Alain Williams , internals@lists.php.net Message-ID: <20070111171152.GH15998@mint.phcomp.co.uk> References: <20070111144144.GV15998@mint.phcomp.co.uk> <80C94C6E-4646-459E-B695-B072F14378F0@prohost.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <80C94C6E-4646-459E-B695-B072F14378F0@prohost.org> User-Agent: Mutt/1.4.1i Organization: Parliament Hill Computers Ltd Subject: Re: [PHP-DEV] Comments on PHP security From: addw@phcomp.co.uk (Alain Williams) On Thu, Jan 11, 2007 at 12:05:45PM -0500, Ilia Alshanetsky wrote: > > On 11-Jan-07, at 9:41 AM, Alain Williams wrote: > > >This has just appeared: > > > > http://www.theregister.co.uk/2007/01/11/php_apps_security/ > > Of many people who use PHP not many have strong programming > background and even fewer experience with security. The use PHP > because it makes it easy to solve problems, especially in a web > environment. When you consider this it is hardly surprising that many > people write bad and/or insecure code. While PHP does try to make > things better, and occasionally has bugs in the language core you > need to realize that PHP is a programming language. As such if you > really want to shoot yourself in the foot you can, just as you can do > with C/C++/Perl/Python/etc... I think that everyone would agree with that. The discussion is how PHP can help them to discover problems in their scripts. This is what led to Wietse Venema's suggestion about tainting a few weeks ago. These may be things that members of this forum do not feel that they need, but the ''quality'' of the majority of PHP programmers is such that they would be of benefit. To an extent it is an accolade to PHP that novice/... programmers can use it do create applications, it just puts a greater burden on us to do what we can to protect them from their own problems. -- Alain Williams Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include