[ale] Seven Deadly Sins - PHP

J.M. Taylor jtaylor at onlinea.com
Wed Jun 11 09:32:42 EDT 2003


When I replied last night, I was replying to questions about PHP security
in specific as best I know.  I've finally had time to read the article
itself and would like to offer that these are not Bob's words, but quotes
and paraphrases.

I would be interested to know if he said, verbatim, "Don't use PHP even
tho it's convenient", or if he said something more general about not
trusting cgi-bin of any sort, including perl and PHP.  If the former, I
would like to echo Frank's request for an alternative.

Most admins don't have the luxury of enough time to learn PHP well enough
to audit it properly...and most admins are the ones tasked with security.
It's not a fun position to be in.  So if you can get away with it, don't
run PHP.  Or DNS. Or god forbid NIS or NFS or any other service you don't
actually need.  I could argue that DNS is "convenient" too...I mean,
you've got a hosts file, right? :)  But the point is a good one  -- if you
dont need it, don't run it.  If you don't know how to secure it, learn, or
don't run it. Maybe that's all he meant. :)

Done now. Really.
jenn


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list