Robert Cummings wrote:
I respectfully disagree with your position. Everything you have described about Jane is also true of an operating system. There are compromised machines all over the world just because installing an operating system is so easy. No amount of packaging is going to solve the problem created by bad software and idiots.
But php coders writing code that follows basic policy rules does reduce the problem. Such policies include not writing your app so the install instructions tell the user to chmod 777 directories and files within the web root.
Since the OP is teaching a class, that's an important concept student need to understand.
Yes, there will always be mis-behaving apps. There will also be well written applications that are vulnerable simply because they use a vulnerable module or class. Creating a secure development policy and implementing it greatly reduces your well written application from being an attack vector when those issues exist, and they will always exist.
Similarly, web developers (php and other) need to start following and implementing the CSP recommendation at Mozilla.org. In a perfect world where we could guarantee our web apps were not vulnerable to XSS injection, a web app would never have to send headers telling the client what is allowed and from where, but as we don't live in a perfect world, it is the right thing to do - even though it makes coding a lot more tedious.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
