[pmwiki-users] Selecting a Wiki engine...

Joachim Durchholz jo at durchholz.org
Fri Oct 6 12:17:09 CDT 2006 

Thomas -Balu- Walter schrieb:
> On Mon, Oct 02, 2006 at 11:00:23PM +0200, Joachim Durchholz wrote:
>>> It's as usual - it's not the language that has security problems, it is
>>> the code - or said other way round - the developers. 
>> I have to *strongly* disagree.
>> While you're right that it's the code that's insecure, not the language 
>> per se, a language design can encourage or discourage secure code. And 
>> in this respect, PHP is quite far on the insecure side.
> 
> When coding web applications the most common errors are not checking
> received input, creating insecure SQL queries and sending raw data back
> to the browser.

With a good database layer, insecure SQL queries don't usually happen. 
E.g. I'm using a database layer that allows me to say
   db_query (
     'SELECT * FROM accounts WHERE user = :field_value',
     array ('field_value' => $_REQUEST ['userid'])
   );
and I don't have to worry about SQL injections anymore, because the 
layer will properly SQL-escape the field value.

A similar mechanism exists in Perl.
The difference is: In Perl, almost every developer knows that it exists. 
In PHP, the usual tutorials don't even mention theses database 
mechanisms - they aren't available on every machine, and installing them 
on one's own requires several steps, of which some can fail due to 
configuration differences - no wonder that the newbie tutorials tend 
avoid the issue.

 > It's the developers task to make sure those can not be
> exploited in any language.

Sure.
However, some languages make that easier than others.
PHP makes it quite hard, and that's bad.

>> PHP also has a long history of bad design decisions. The various 
>> magic_quotes directives in php.ini really stink - they can't be switched 
>> off from PHP, there's no way to undo their effects where you need it, 
>> and they don't do the job properly - they actually managed to cover all 
>> possible serious design errors for a quoting mechanism in a single grand 
>> misdecision.
> 
> But it is possible to revert those in a script - in fact I'm using a
> small snippet in most of my scripts to do so.

Some can, some can't.
E.g. you can't undo the effect of magic_quotes_gpc in $_REQUEST.

> Anyway - back from language flame wars

...what flame war?
;-))

Regards,
Jo

More information about the pmwiki-users mailing list