Stefan Esser retires from PHP security response team
Andy Armstrong
andy at hexten.net
Tue Dec 12 10:58:02 GMT 2006
On 11 Dec 2006, at 22:44, Peter Corlett wrote:
>> http://blog.php-security.org/archives/61-Retired-from-
>> securityphp.net.html
>
> PHP is very much the kind of thing where you peer into the barrel,
> see a whale, and wonder why you should bother wasting a bullet on it.
It's an interesting insight into what makes a language popular. It
seems to me that the main thing PHP ever had going for it was low
cost of entry. You install it on a web server and suddenly all your
HTML can magically have fragments of code embedded in it.
On security the attitude shown to tainted data is particularly
revealing - Perl (and Ruby &c) have taint mode - which forces you to
address the taintedness of the data. PHP has 'magic quotes' which SQL-
escapes any parameters so that inexperienced programmers think the
data is safe and don't bother checking it further. Literally a false
sense of security.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list