Well, if you do not know the answer to my particular question, I'm
curious how might you respond to someone who says:
PHP has to many security issues and should not be used with a
user authentication system.
We should use XXX.
I think security mainly depends on the programmer and not on the
language he uses...
greets
Zoltán Németh
I totally agree.
You are not allowed to say 'Well, you're wrong. PHP is as secure as
anything else.' without explaining why.
Or, would you agree with the statement? Is there an 'XXX' that should
be used instead of PHP?
Of course not. As Zoltan stated above, security is dependent upon the
programmer and not the language. But, if you aren't familiar with why
PHP is considered so "insecure" its a result of people who can't/
don't know how to properly program PHP applications. PHP is an easy
programming language to learn quickly and hit the ground running.
These people (typically) don't care to check to make sure writing
something like:
mysql_query('SELECT * FROM admins WHERE username = "'.$_GET
['username'].'" and password = "'.$_GET['password'].'"');
is safe and secure. This is one of the bigger issues I've seen on
some PHP applications. As you will (or perhaps already have read) on
Chris S.'s site that a big thing to do in PHP apps is FIEO (Filter
Input Escape Output). Applications written in this manner are
insecure; PHP isn't what's insecure.
However, with my limited Computer Science training, FIEO is something
that should be done in any application under any programming language
- for security's sake.
So, rather than consider the difference in security of a programming
language versus another, you should be asking the question "What does
PHP offer me that XXX doesn't?". Alternatively, if the person on the
other end is still too concerned about security, then you should be
considering "How much easier is it for me to program secure
applications in PHP than XXX?" If you do it right from the start,
you'll find that PHP does not make it difficult to write secure apps.
Given the limited number of options for maintaining state
information, I would be hard pressed to see how any language could be
inherently more security or why one could not write PHP code which
implemented the same techniques as 'XXX'.
(No, I do not know what 'XXX' might be.)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Christopher Weldon
President & CEO
Cerberus Interactive, Inc.
cweldon@xxxxxxxxxxxxxxxxxx
(866) 813-4603 x605
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
