PHP - security etc
David Cantrell
david at cantrell.org.uk
Wed Mar 7 20:08:23 GMT 2007
On Wed, Mar 07, 2007 at 04:15:44PM +0000, Dominic Mitchell wrote:
> On Wed, Mar 07, 2007 at 01:54:10PM +0000, Andy Armstrong wrote:
> > PHP does also make it easy for people who don't really know what
> > they're doing to write working web apps. I regularly see, for
> > example, glaring SQL injection vulnerabilities in naively written
> > PHP. Again that's not entirely the fault of the language: it's an
> > artifact of its ease of use.
> I disagree. Not only does PHP not make it easy to be secure, it makes
> it actively hard to be correct as far as I can see... For example,
> requiring you to call htmlspecialchars() on every string that ends up in
> the page is completely inexcusable in order to avoid XSS attacks.
Of course, one has to do the same when putting a web page together using
perl, don't you?
--
David Cantrell | Hero of the Information Age
Planckton: n, the smallest possible living thing
More information about the london.pm
mailing list