Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Do you whitelist or blacklist utf-8?



On 02/24/2011 05:43 PM, Darren Cook wrote:
And, yeah, for better security, don't use PHP :)

Do you have any evidence to support that statement?

You've probably already seen the other replies, but the
number of PHP vulnerabilities was overwhelming a few years back.
I don't really follow any more, so maybe things have gotten better over time, but I kind of doubt i.

Security always seems, to me, to be dominated by the programmer's
understanding of security issues; language features are quite minor.
I.e. the same programmer will write safe or dangerous code whichever
language he uses.

I am pretty sure you could write a perfectly safe 30 000 line CGI in C, if you know what you are doing. But it's hard, and it's easier to make mistakes when you are dealing with low level code. The lower the level, the more code you have to write, the greater the chance of bugs/vulnerabilities, etc.


(As far as I know, PHP has all the required functions for writing safe
code, such as htmlspecialchars(), urlencode(), strip_tags(),
filter_var(), regexes, etc.)


PHP makes it easy to deal with Web input/output, and because of this a lot of people don't use any higher level frameworks, just the (fairly low level) native PHP functions. It's hard to cover all the bases with those even if you know what you are doing, and most people starting off with PHP don't.



Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links