On Thu, 2007-02-01 at 10:19 -0500, Eric Gorr wrote: > > Well, if you do not know the answer to my particular question, I'm > curious how might you respond to someone who says: > > PHP has to many security issues and should not be used with a > user authentication system. > We should use XXX. > > You are not allowed to say 'Well, you're wrong. PHP is as secure as > anything else.' without explaining why. > Or, would you agree with the statement? Is there an 'XXX' that should > be used instead of PHP? For the most part, any program in a mature language is as secure as the least competent coder that worked with it. Following from that, if your developers are competent, you are less likely to have security problems. PHP provides all the tools necessary to write very secure applications, most of the problems in the wild are due to incompetence especially as relates to popular packages (such as PHPBB). > Given the limited number of options for maintaining state > information, I would be hard pressed to see how any language could be > inherently more security or why one could not write PHP code which > implemented the same techniques as 'XXX'. Some languages provide features that essentially tie the developer's hands behind their back and make it more difficult to introduce security flaws. This idealogy only has limited success because no matter how intelligent you think your language is, there is almost certainly a human of marvellous counter intelligence that will do something stupid... often by force of will. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php