* Geo. (geoincidents@xxxxxxx) wrote: > ... > > "The configuration flexibility of PHP is equally rivalled by the code > > flexibility. PHP can be used to build complete server applications, > > with all the power of a shell user, or it can be used for simple > > server-side includes with little risk in a tightly controlled > > environment. How you build that environment, and how secure it is, is > > largely up to the PHP developer." > > And is the default install wide open or tightly controlled? I mean from a > security standpoint we have been screaming for years at Microsoft to change > their defaults to firewall on and things locked instead of open. > > Is php secure by default when it's installed on a server? > This question does not really have any meaning. If you ask, if php _applications_ are secure by default, the answer is of course "it depends" (most php applications are broken. Just do a "grep -R eval ." and see for yourself) The php safe_mode is not really safe. magic_quotes_gpc is broken by design. Where does that leave us? Write secure code, validate all input or get hacked, as is the case with every other software/language.
