On 8/22/07, Chris <[EMAIL PROTECTED]> wrote: > That's a completely wrong assumption. PhpBB has had a lot of > vulnerabilities in the past, as has php-nuke and other popular packages. > > They've been around for years and not written by newbie's as far as I > know - but I don't have any link to either package I just mentioned.
both of those packages are spaghetti code. they started from something small and grew. combine adding features on top + development teams of different skills, backgrounds and language barriers and you typically get a very diverse codebase. when code isn't as tight, it opens itself up for having inconsistent methods of doing things - perhaps someone wrote an XSS-safe feature, but someone else didn't reuse that portion or reused it incorrectly. i think that's pretty common sense. i coded my own forum from scratch, and while not as feature-rich as phpbb, nothing in it can be exploited like that. each feature i add on top of it is also that tight. but i am a single developer, i know everything i have done. adding other people i would expect that it would not be as tight. it is the problem with all projects. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
