Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27372
Return-Path: <ilia@prohost.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38252 invoked by uid 1010); 11 Jan 2007 17:26:23 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 38237 invoked from network); 11 Jan 2007 17:26:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2007 17:26:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=ilia@prohost.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=ilia@prohost.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain prohost.org from 64.233.166.178 cause and error)
X-PHP-List-Original-Sender: ilia@prohost.org
X-Host-Fingerprint: 64.233.166.178 py-out-1112.google.com Linux 2.4/2.6
Received: from [64.233.166.178] ([64.233.166.178:18111] helo=py-out-1112.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D9/83-15642-F3376A54 for <internals@lists.php.net>; Thu, 11 Jan 2007 12:26:23 -0500
Received: by py-out-1112.google.com with SMTP id a25so266883pyi
        for <internals@lists.php.net>; Thu, 11 Jan 2007 09:26:21 -0800 (PST)
Received: by 10.35.40.10 with SMTP id s10mr2946210pyj.1168536381207;
        Thu, 11 Jan 2007 09:26:21 -0800 (PST)
Received: from ?192.168.1.131? ( [204.101.63.110])
        by mx.google.com with ESMTP id a78sm1063071pye.2007.01.11.09.26.19;
        Thu, 11 Jan 2007 09:26:20 -0800 (PST)
In-Reply-To: <20070111171152.GH15998@mint.phcomp.co.uk>
References: <20070111144144.GV15998@mint.phcomp.co.uk> <80C94C6E-4646-459E-B695-B072F14378F0@prohost.org> <20070111171152.GH15998@mint.phcomp.co.uk>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <B2D45430-0CAB-4384-83DB-114464524D26@prohost.org>
Cc: internals@lists.php.net
Content-Transfer-Encoding: 7bit
Date: Thu, 11 Jan 2007 12:26:17 -0500
To: Alain Williams <addw@phcomp.co.uk>
X-Mailer: Apple Mail (2.752.3)
Subject: Re: [PHP-DEV] Comments on PHP security
From: ilia@prohost.org (Ilia Alshanetsky)


On 11-Jan-07, at 12:11 PM, Alain Williams wrote:
> The discussion is how PHP can help them to discover problems in their
> scripts. This is what led to Wietse Venema's suggestion about tainting
> a few weeks ago. These may be things that members of this forum do not
> feel that they need, but the ''quality'' of the majority of PHP
> programmers is such that they would be of benefit.
>
> To an extent it is an accolade to PHP that novice/... programmers can
> use it do create applications, it just puts a greater burden on us  
> to do
> what we can to protect them from their own problems.

The tools already exist, look at E_NOTICE for example. A good number  
of PHP exploits are caused by register_globals + un-initialized vars.  
If the developers of those apps tried to run their code with that  
error reporting method enabled there would be far fewer security bugs  
all around.

Ilia Alshanetsky