On Mon, Feb 24, Michael Torrie wrote: > Dan's question is, what is it about PHP that causes it to have such a > horrible reputation for security? What makes other languages better for > real-world web stuff? What are the trade-offs?
In PHP, the easy, obvious way to construct a webpage is to intermingle hard-coded bits with unsanitized user input. In PHP, the easy, obvious way to interact with a database is to stuff user input straight into a string and use that as your query. In PHP, the easy, obvious way to build a website is to make each page its own script, including a global configuration file if necessary. Some configurations of PHP and/or Apache make it possible to view the source of a PHP file from over the web, including the aforementioned global configuration file. In PHP, passing an array to a function makes a copy by default, making it easy to run out of memory, simplifying denial-of-service attacks. Other languages make it harder to build web stuff in the first place, making the easy, obvious way to use a framework. Most such frameworks are more inclined to make security a high priority. Django's template system, for example, escapes strings by default. SQLAlchemy makes it easier to use parameterized queries than to build the query string. Then again, PHP doesn't have buffer overflow and null pointer problems, so it might not be the absolute worst language for the web. - Eric /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
