[pmwiki-users] Selecting a Wiki engine...
Joachim Durchholz
jo at durchholz.org
Fri Oct 6 12:17:09 CDT 2006
Thomas -Balu- Walter schrieb:
> On Mon, Oct 02, 2006 at 11:00:23PM +0200, Joachim Durchholz wrote:
>>> It's as usual - it's not the language that has security problems, it is
>>> the code - or said other way round - the developers.
>> I have to *strongly* disagree.
>> While you're right that it's the code that's insecure, not the language
>> per se, a language design can encourage or discourage secure code. And
>> in this respect, PHP is quite far on the insecure side.
>
> When coding web applications the most common errors are not checking
> received input, creating insecure SQL queries and sending raw data back
> to the browser.
With a good database layer, insecure SQL queries don't usually happen.
E.g. I'm using a database layer that allows me to say
db_query (
'SELECT * FROM accounts WHERE user = :field_value',
array ('field_value' => $_REQUEST ['userid'])
);
and I don't have to worry about SQL injections anymore, because the
layer will properly SQL-escape the field value.
A similar mechanism exists in Perl.
The difference is: In Perl, almost every developer knows that it exists.
In PHP, the usual tutorials don't even mention theses database
mechanisms - they aren't available on every machine, and installing them
on one's own requires several steps, of which some can fail due to
configuration differences - no wonder that the newbie tutorials tend
avoid the issue.
> It's the developers task to make sure those can not be
> exploited in any language.
Sure.
However, some languages make that easier than others.
PHP makes it quite hard, and that's bad.
>> PHP also has a long history of bad design decisions. The various
>> magic_quotes directives in php.ini really stink - they can't be switched
>> off from PHP, there's no way to undo their effects where you need it,
>> and they don't do the job properly - they actually managed to cover all
>> possible serious design errors for a quoting mechanism in a single grand
>> misdecision.
>
> But it is possible to revert those in a script - in fact I'm using a
> small snippet in most of my scripts to do so.
Some can, some can't.
E.g. you can't undo the effect of magic_quotes_gpc in $_REQUEST.
> Anyway - back from language flame wars
...what flame war?
;-))
Regards,
Jo
More information about the pmwiki-users
mailing list