[nycbug-talk] Searching for suspect PHP files...

Max Gribov max at neuropunks.org
Tue Mar 3 16:26:25 EST 2009

Andy Kosela wrote:
> I don't want to speak for Miles here, but I think he meant that PHP is
> flawed by design, and not asking "how to write secure code".  It is so
> easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it.  
it is equally easy to prevent them, just like in C you can count number 
of bytes in a string to prevent buffer overflows.

> It
> has been increasingly harder to secure HTTP, as most of the successful
> break-ins are done with the help of PHP.  
i would change that to "web upload forms", "url bars in browsers" and 
"javascript injection"
i bet you can find just as many vulnerable web apps written in other 
languages, and probably just as many backdoor apps in other languages as 

php has frameworks which handle plenty of security for you (read: input 
validation/sanitizing), and id argue that learning a framework from 
scratch is easier than a language from scratch..

> And Miles remarked wisely that
> this trend has been going for years.
> --Andy
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

More information about the talk mailing list