[nycbug-talk] Searching for suspect PHP files...
Max Gribov
max at neuropunks.org
Tue Mar 3 16:26:25 EST 2009
Andy Kosela wrote:
>
> I don't want to speak for Miles here, but I think he meant that PHP is
> flawed by design, and not asking "how to write secure code". It is so
> easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it.
it is equally easy to prevent them, just like in C you can count number
of bytes in a string to prevent buffer overflows.
> It
> has been increasingly harder to secure HTTP, as most of the successful
> break-ins are done with the help of PHP.
i would change that to "web upload forms", "url bars in browsers" and
"javascript injection"
i bet you can find just as many vulnerable web apps written in other
languages, and probably just as many backdoor apps in other languages as
well.
php has frameworks which handle plenty of security for you (read: input
validation/sanitizing), and id argue that learning a framework from
scratch is easier than a language from scratch..
> And Miles remarked wisely that
> this trend has been going for years.
>
> --Andy
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
More information about the talk
mailing list