Re: is PHP less secure than Perl, Python, or Ruby?

walterbyrd wrote:

I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure.

PHP is not inherently insecure, but because it's very easy to write PHP,
it has become rather a popular language amongst people with little, if
any, formal training on how to program. Because of this, there are an
awful lot of badly written PHP scripts out there; installing them may well
open up your server to abuse.

Most security issues (in *any* language) arise from a failure to properly
check user input. Programmers make assumptions that a particular bit of
submitted input doesn't, say, contain an apostrophe and then they feed it
into a database. If a user accidentally enters an apostrophe where they
shouldn't, this may cause an error trying to insert the data into the
database. If the user *deliberately* enters an apostrophe, and then some
other specially crafted input, then they may be able to do malicious
things.

Most security issues arise from programmers making assumptions when they
shouldn't. If you always check and double-check every variable before
doing anything critical with it, then you've solved 9% of security issues
right there. (90% of security issues are caused by users who choose easy
passwords, or write their passwords on their forehead so that they can
remember it. The other 1% are "miscellaneous".)

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
.

Relevant Pages

  • TSLSA-2005-0059 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... use of Rest with FTP servers and Range with HTTP servers to retrieve files ... - New Upstream and Multiple Vendor Security Fixes ...
    (Bugtraq)
  • [NEWS] PHP Security Vulnerability in Multipart FORM Data Handling
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The PHP Group has learned of a serious security vulnerability in PHP ... code with the privileges of the web server. ...
    (Securiteam)
  • TSLSA-2007-0017 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... SECURITY Fix: Arnaud Giersch has reported a weakness in ELinks, ... The Common Vulnerabilities and Exposures project ...
    (Bugtraq)
  • Re: Securing an Email script
    ... request to our sales office. ... Since you do ZERO checking on the values it's nothing BUT security issues. ... very powerful PHP function to validate form fields and other strings - ...
    (comp.lang.php)
  • [ GLSA 200511-08 ] PHP: Multiple vulnerabilities
    ... PHP suffers from multiple issues, resulting in security functions ... bypass, local Denial of service, cross-site scripting or PHP variables ...
    (Bugtraq)