As has been said: It all depends on the developer. A skilled developer
is not restrained by how "secure" the particular language is. A
skilled developer will know the pitfalls of that language, and be able
to avoid them.
With php as an example, you have register_globals. Now,
register_globals is NOT a bad thing. However, due to incompetent
coders, it is one of the easiest exploits in many php applications. A
skilled developer is able to work unconditional of weather
register_globals is on on his/her server.
- Craige
On 2/3/07, Christopher Weldon <cweldon@xxxxxxxxxxxxxxxxxx> wrote:
>> Well, if you do not know the answer to my particular question, I'm
>> curious how might you respond to someone who says:
>>
>> PHP has to many security issues and should not be used with a
>> user authentication system.
>> We should use XXX.
>
> I think security mainly depends on the programmer and not on the
> language he uses...
>
> greets
> Zoltán Németh
I totally agree.
>
>>
>> You are not allowed to say 'Well, you're wrong. PHP is as secure as
>> anything else.' without explaining why.
>> Or, would you agree with the statement? Is there an 'XXX' that should
>> be used instead of PHP?
>>
Of course not. As Zoltan stated above, security is dependent upon the
programmer and not the language. But, if you aren't familiar with why
PHP is considered so "insecure" its a result of people who can't/
don't know how to properly program PHP applications. PHP is an easy
programming language to learn quickly and hit the ground running.
These people (typically) don't care to check to make sure writing
something like:
mysql_query('SELECT * FROM admins WHERE username = "'.$_GET
['username'].'" and password = "'.$_GET['password'].'"');
is safe and secure. This is one of the bigger issues I've seen on
some PHP applications. As you will (or perhaps already have read) on
Chris S.'s site that a big thing to do in PHP apps is FIEO (Filter
Input Escape Output). Applications written in this manner are
insecure; PHP isn't what's insecure.
However, with my limited Computer Science training, FIEO is something
that should be done in any application under any programming language
- for security's sake.
So, rather than consider the difference in security of a programming
language versus another, you should be asking the question "What does
PHP offer me that XXX doesn't?". Alternatively, if the person on the
other end is still too concerned about security, then you should be
considering "How much easier is it for me to program secure
applications in PHP than XXX?" If you do it right from the start,
you'll find that PHP does not make it difficult to write secure apps.
>> Given the limited number of options for maintaining state
>> information, I would be hard pressed to see how any language could be
>> inherently more security or why one could not write PHP code which
>> implemented the same techniques as 'XXX'.
>>
>> (No, I do not know what 'XXX' might be.)
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Christopher Weldon
President & CEO
Cerberus Interactive, Inc.
cweldon@xxxxxxxxxxxxxxxxxx
(866) 813-4603 x605
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
