On 12/08/10 10:57, Chuck Swiger wrote:
On Dec 7, 2010, at 4:27 PM, Da Rock wrote:
One to point out the obvious, and two to clarify your view here: why not php?
Php was the scripting used, but if used poorly will create a security risk in
the web app. That means that the vulnerability is the coder's problem; not php
itself. God knows how many references there are to what not to do for security
reasons on the php site.
Vulnerabilities due to bad coding is not the fault of the language used,
otherwise we wouldn't be using c, c++, etc.
I ask because I'm coding web apps in php myself, and I'm curious to know if my
view is in error...
I would disagree and argue that vulnerabilities due to bad coding often reflect flaws in
the language being used. For example, a vast range of buffer overflows, null pointer
dereference issues, etc are entirely a consequence of C-based languages which permit
arbitrary pointer arithmetic. Tools like valgrind and Purify were later created to help
add runtime array and memory buffer bounds-checking to C/C++ which other languages (Java,
Python, etc) already provide by raising an "index out of range" exception or
similar.
As for PHP and security, well, when someone ends up getting married to three
abusive drunks in a row, there is more going on with that then random chance or
even bad luck. I've got an archive of a couple of years worth of list traffic from
full-disclosure& bugt...@securityfocus, and nearly a third of the messages
involve PHP or software written in PHP. That's about twice as many as the next
largest category, which is vulnerabilities in Windows (including stuff like Adobe
Flash/Reader).
Regards,
Thanks for the heads up. What language do you recommend then based on
these security reports?
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
