-----Original Message----- From: Jay [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 1:43 PM To: sqlite-users@sqlite.org Subject: Re: [sqlite] Thanks!
> >I believe writing C or C++ code is harder than writing interpreted > >code. My aim has always been to produce the best product I could, > >not to produce it with as little effort as possible. I hope the > >extra effort was worth it. I guess time will tell if I chose > >correctly. > > One caveat of languages like C and C++ is that you are opening > yourself to several classes of potential security problems that > interpreted languages tend not to have. You have to deal with things > > like buffer overflow attacks, one of the more common kind, that can > come from you not crossing every "t" and dotting every "i" with your > memory management. Interpreted languages take care of these sorts of > > things for you, so they are orders of magnitude more secure by > default. You have to put in a lot of effort with C and C++ to be > just as secure. (Sure, the interpreter engines themselves could have > > such problems, but they are exceedingly rare due to their common code > > being heavily used and examined by a relatively large group.) The > main advantages of C is that you can get the smallest possible > footprint and greatest possible speed; it is best applied to what > would be bottlenecks. -- Darren Duncan One of the things the C++ experts take particular care to remind everyone is that character arrays are evil. I thought using string classes mostly elminated the buffer overflow problem. The string class is heavily examined for such errors as are the intrepreters. I'm seeing reports of vulnerabilities in interpreted languages so I'm not sure I agree with that logic, or the orders of magnitude comparison. Do you have any references or research on it? Interpreter authors write code with errors too. If the interpreter gets tweaked every month the code only gets 30 days of testing. Few of the packages I've seen have any regression testing so new errors can be introduced with each revision and old errors can reappear. I should go look and see how they cracked php and string overflows. I just consider it bare metal programming envy :-) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
