On Dec 7, 2010, at 4:27 PM, Da Rock wrote: > One to point out the obvious, and two to clarify your view here: why not php? > Php was the scripting used, but if used poorly will create a security risk in > the web app. That means that the vulnerability is the coder's problem; not > php itself. God knows how many references there are to what not to do for > security reasons on the php site. > > Vulnerabilities due to bad coding is not the fault of the language used, > otherwise we wouldn't be using c, c++, etc. > > I ask because I'm coding web apps in php myself, and I'm curious to know if > my view is in error...
I would disagree and argue that vulnerabilities due to bad coding often reflect flaws in the language being used. For example, a vast range of buffer overflows, null pointer dereference issues, etc are entirely a consequence of C-based languages which permit arbitrary pointer arithmetic. Tools like valgrind and Purify were later created to help add runtime array and memory buffer bounds-checking to C/C++ which other languages (Java, Python, etc) already provide by raising an "index out of range" exception or similar. As for PHP and security, well, when someone ends up getting married to three abusive drunks in a row, there is more going on with that then random chance or even bad luck. I've got an archive of a couple of years worth of list traffic from full-disclosure & bugt...@securityfocus, and nearly a third of the messages involve PHP or software written in PHP. That's about twice as many as the next largest category, which is vulnerabilities in Windows (including stuff like Adobe Flash/Reader). Regards, -- -Chuck _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
