<div dir="ltr"><div><div>Ah, so you're saying that cars are bad because there are dumb drivers that can't replace an engine?<br><br></div>Is there bad code written in PHP? Sure. Same for Python, Perl, C(++/sharp) etc. Don't blame the language for the users. <br>
<br></div>Leam<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 22, 2013 at 9:47 AM, Michael B. Trausch <span dir="ltr"><<a href="mailto:mbt@naunetcorp.com" target="_blank">mbt@naunetcorp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 07/21/2013 04:44 PM, Andy Borgmann
wrote:<br>
</div>
<blockquote type="cite">Where do you see this being a PHP non-security. It
sounds like it was an updated version of vBulletin's admin panel
that had a security flaw. Even if vBulletin is coded in PHP, I
don't see why blaming PHP as a whole is warranted in this case and
not just vBulletin. PHP seems secure enough or Facebook.</blockquote>
<br>
Some points:<br>
<ol>
<li>Facebook does not run the official PHP, they run a subset of
it that is then compiled, if memory serves, to C++ and then
compiled to system code.</li>
<li>PHP itself is insecure for <b>many</b> reasons, the least of
which:</li>
<ol>
<li>PHP has never deprecated functionality that is known-unsafe,
given the average experience of the PHP-only programmer; for
example, SQL injection attacks are pandemic in PHP code not
because it's any less safe than C, but because it is just as
safe as C and PHP-only programmers don't have perspective from
which to draw from to secure their own code. This flaw could
be fixed in PHP by removing functions that permit it; in my
book, that makes it a PHP flaw (it's easier to fix PHP than it
would be to fix all PHP programmers).</li>
<li>PHP has a large number of pseudoprogrammers that work with
it. These people are mostly management types that found that
they can quickly piece together a PHP script and make it do
something useful. These people have no background in
security, information technology, information systems or any
similar such topic. They often C&P pathologically, and
the systems that they create are swiss cheese from a security
perspective. Again, this is something that can be fixed in
PHP, by ensuring that variables that come from the user are
always represented in a canonical format and that outputs are
properly escaped.</li>
<li>PHP has a large number of what I call "auto-fsck-you"
features built-in to it that most people do not understand.
One such example is PHP's associative arrays, which are really
integer arrays. The reason that integers and string keys can
both be used in PHP in the same array is that they share the
same namespace; a very large sequential array is quite likely
to clash with the hashed namespace used for string keys. Fun,
yes? And that's just one example.</li>
</ol>
</ol>
<p>I could go on for pages, but there are many others who have done
so at length; I won't reinvent the wheel here. I can say, though,
that a quick review of US-CERT data shows that PHP and
applications written in it are still among the most common of
security problems—even in systems written by professional
programmers.<span class="HOEnZb"><font color="#888888"><br>
</font></span></p><span class="HOEnZb"><font color="#888888">
<div>-- <br>
<table border="0">
<tbody>
<tr>
<td> <img src="cid:part1.08030604.02090804@naunetcorp.com" alt="Naunet Corporation Logo"> </td>
<td> Michael B. Trausch<br>
<br>
President, <b>Naunet Corporation</b><br>
☎ <a href="tel:%28678%29%20287-0693%20x130" value="+16782870693" target="_blank">(678) 287-0693 x130</a> or <a href="tel:%28888%29%20494-5810%20x130" value="+18884945810" target="_blank">(888) 494-5810 x130</a><br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</font></span></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div><a href="http://leamhall.blogspot.com/" target="_blank">Mind on a Mission</a></div>
</div></div>