On Wed, May 10, 2006 2:16 pm, Eric Butera wrote: > On 5/10/06, Richard Lynch <ceo@xxxxxxxxx> wrote: > these issues because they don't even know to consider these things. I > still see so many examples passed on that have the ability to inject > SQL or spam via E-Mail Header injection. I mean to be fair the php > manual never mentions that if you don't protect the parameters going > into mail() injection is possible. > > I know the argument always ends up being "The language is there, you > need to protect yourself from shooting your own foot." But isn't PHP > so popular because the barrier into programming with it so low? I understand that the Manual and our answers could not possibly anticipate, much less provide advice to avoid, every possible combination of events that leads to losing one's foot. That said, if we didn't care about keeping our feet, wouldn't we all be writing CGI scripts and custom Apache Modules in C? PHP *has* lowered the "entry barrier" ridiculously low, to the point where we've got "idiots and English majors" writing really cool software -- complete with a total lack of any security features whatsoever. We've made it so damn easy -- Isn't it our responsibility, to some degree, to warn users that they really do need to buy those trigger guards and locked cabinets and store the ammo separately from the weapon? This is always a judgement call, but do we really want to spend the next decade living with the consequences of NOT providing Security advice to newbies? zillions of web forms for email feedback with header injections zillions of XSS attacks We have to be pragmatic about this and inform users what NOT to do of the most common mistakes, if only to protect ourselves from the collateral damage of them shooting their foot off It's our own inboxes and our own bandwidth, and, ultimately, the quality of the Internet itself at stake. If we can document for beginners the most common security mistakes, and have that documentation "in their face" when they first encounter the "answer" to what they perceive as their "current problem" surely that's worth a little effort and the blurring of the line drawn at just providing the function and leaving the responsibility on the user to be responsible. I sometimes think PHP is a like a loaded gun in the hands of a child, it's just too damn easy to use and to get yourself into serious trouble SO quickly and easily. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
