On 22/02/06, Kevin Waterson <kevin@xxxxxxxxxxx> wrote: > This one time, at band camp, Gadi Evron <ge@xxxxxxxxxxxx> wrote: > > > 3. Staying on top of new PHP vulnerabilities has become impossible, > > popping around everywhere. > > What vulnerabilities in PHP? > Are implying the fault is within the language itself? I think Gadi meant vulnerabilities in PHP applications; though the language doesn't make it particularly easy to write secure code. > This is akin to saying C has vulnerabilites because some script kiddie > wrote a poor application. Like this ? "We can give you advice on how to write good cryptographic code. Avoid any programming language that allows buffer overflows. Specifically: don't use C or C++" -- Practical Cryptography, Schneier and Ferguson, (p149 in my copy). It's a point of view that has something to be said for it. You *can* write secure code in C and PHP, but it takes a lot of care and most programmers don't take that care. I've been told privately that one penetration tester could gain system privileges on the majority of webservers he checked; that used to surprise me, but doesn't any longer. I don't whether that's a 'vulnerability', 'disadvantage' or 'feature' of PHP and other scripting languages. cheers, Jamie -- Jamie Riden / jamesr@xxxxxxxxxx / jamie.riden@xxxxxxxxx
