another 2c worth... So it's the programmer's responsibility to ensure all his/her code is as secure as possible. If it can be shown that it isn't secure, then the programmer should endevour to close that hole.
This goes for any area that hackers can exploit, software and hardware... -----Original Message----- From: Michael Sims [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 3:43 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: Mommy, is it true that...? At 11:28 PM 12/20/2001 -0500, Billy Harvey wrote: > > Freshmeat.net is a very popular database of linux software and includes a > > wide variety of PHP scripts. My point was that if you downloaded an > > insecure script from such a popular site then you are asking for trouble > > because chances are thousands of would-be hackers have ALSO downloaded the > > same script and have familiarized themselves with ways that it can be > > exploited... > >So would you rather just use pre-compiled binaries from some company >that says "trust me"? Sigh. No. The thread has meandered quite a bit, and you'd have to read the whole thing to see how we got to this point. To summarize: Someone made the point that you should always carefully check user submitted data, and provided an example using an poorly secured fopen() statement whereby a hacker could gain access to /etc/passwd. I responded by saying that to do such a thing the hacker would have to know exactly how your code is written. Someone else responded saying that this was indeed likely in shared hosting environments or open source software. The above is me agreeing and saying "oh I didn't think of that" Nowhere did I say that I think this is a disadvantage of OSS. If you wish to extrapolate an argument from what I wrote above then here's a good one: When you install software that could be a potential security risk then you should attempt to use well established, peer-reviewed OPEN SOURCE software and ideally review at the code yourself to make sure it meets your standards of security and doesn't contain any nasty exploits. See, I'm one of the good guys...a dot communist, just like you. ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
