PHP - security etc
dakkar at thenautilus.net
Wed Mar 7 14:02:51 GMT 2007
Andrew Black wrote:
> I have something of a bias against PHP and am trying to rationalise
> or correct this view.
I have a bias against PHP programmers ;-)
> I do recall that certain PHP based applications have a bad security
> reputation, but is this an aspect of the application or of PHP (or a
> bit of both),
both, but mostly it's the applications' fault (the language and
integrated libraries have their share of problems, but far less that a
> Is PHP more or less open to nastys such as SQL injection?
For a lot of time, people built their SQL queries without placeholders.
And did not escape user-supplied values before printing them out. So,
SQL Injection and XSS. Some PHP libraries *have* support for
placeholders, and most PHP templating systems *have* escaping filters. A
lot of people just don't use them...
Dakkar - <Mobilis in mobile>
GPG public key fingerprint = A071 E618 DD2C 5901 9574
6FE2 40EA 9883 7519 3F88
key id = 0x75193F88
More information about the london.pm