PHP - security etc

Dominic Mitchell dom at
Wed Mar 7 16:15:44 GMT 2007

On Wed, Mar 07, 2007 at 01:54:10PM +0000, Andy Armstrong wrote:
> PHP does also make it easy for people who don't really know what  
> they're doing to write working web apps. I regularly see, for  
> example, glaring SQL injection vulnerabilities in naively written  
> PHP. Again that's not entirely the fault of the language: it's an  
> artifact of its ease of use.

I disagree.  Not only does PHP not make it easy to be secure, it makes
it actively hard to be correct as far as I can see...  For example,
requiring you to call htmlspecialchars() on every string that ends up in
the page is completely inexcusable in order to avoid XSS attacks.  

I'm not saying that doing so is bad.  I'm saying that the mechanism for
doing so is so programmer-hostile that it ends up not being done.


More information about the mailing list