PHP - security etc

David Cantrell david at
Wed Mar 7 20:08:23 GMT 2007

On Wed, Mar 07, 2007 at 04:15:44PM +0000, Dominic Mitchell wrote:
> On Wed, Mar 07, 2007 at 01:54:10PM +0000, Andy Armstrong wrote:
> > PHP does also make it easy for people who don't really know what  
> > they're doing to write working web apps. I regularly see, for  
> > example, glaring SQL injection vulnerabilities in naively written  
> > PHP. Again that's not entirely the fault of the language: it's an  
> > artifact of its ease of use.
> I disagree.  Not only does PHP not make it easy to be secure, it makes
> it actively hard to be correct as far as I can see...  For example,
> requiring you to call htmlspecialchars() on every string that ends up in
> the page is completely inexcusable in order to avoid XSS attacks.  

Of course, one has to do the same when putting a web page together using
perl, don't you?

David Cantrell | Hero of the Information Age

    Planckton: n, the smallest possible living thing

More information about the mailing list