Posted by Toby A Inkster on 02/27/07 16:53

walterbyrd wrote:

> I honestly don't know. But, I have seen articles and posts about how
> PHP is terribly insecure.

PHP is not inherently insecure, but because it's very easy to write PHP,
it has become rather a popular language amongst people with little, if
any, formal training on how to program. Because of this, there are an
awful lot of badly written PHP scripts out there; installing them may well
open up your server to abuse.

Most security issues (in *any* language) arise from a failure to properly
check user input. Programmers make assumptions that a particular bit of
submitted input doesn't, say, contain an apostrophe and then they feed it
into a database. If a user accidentally enters an apostrophe where they
shouldn't, this may cause an error trying to insert the data into the
database. If the user *deliberately* enters an apostrophe, and then some
other specially crafted input, then they may be able to do malicious
things.

Most security issues arise from programmers making assumptions when they
shouldn't. If you always check and double-check every variable before
doing anything critical with it, then you've solved 9% of security issues
right there. (90% of security issues are caused by users who choose easy
passwords, or write their passwords on their forehead so that they can
remember it. The other 1% are "miscellaneous".)

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

[Back to original message]