[KLUG Members] Linux Security

bill members@kalamazoolinux.org
Fri, 06 Jun 2003 09:57:54 -0400

Previous message: [KLUG Members] Linux Security
Next message: [KLUG Members] Linux Security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've never heard PHP is any less secure than any other server-based programming language for the
web.  Security problems arise because the programmer doesn't consider how capable the program
can be.  The writer is probably arguing ("thinking" would be too generous a word) from a
sysadmin's perspective, not a programmer.  Note he says: "Many programmers don't know secure
programming techniques."

Because you can't prevent the programmer from writing bad programming, he only wants them to use
crippled programs.  PHP is too -powerful- a tool for him to grant it to the programming peons.
So, "let 'em eat cake."

I doubt he's really all that familiar with it simply because he's a sysadmin, not a programmer.
The only virtue he really knows about PHP is "convenience."  He doesn't mention dynamic
websites, database interaction, or any data manipulation at all.  How does he get websites to
communicate with each other?  Parse and create XML?  Handle uploads?  Make calendars, PDFs,
XLSs, sessions, CC transactions, etc., etc.  The list goes on and on.  Note he assumes CGI,
which, on the web, can grant higher access than PHP run as a module, takes more resources, and
is an overall kludge in comparison.  I think his issue with PHP is due to unfamiliarity and fear
of its power.  It's not clear he is aware of what websites do today or how he would replicate
such capabilities with other means.

Bruce Smith wrote:

> The article,  "Linux security: The seven deadly sins",  is a good
> read, but nothing new and earth shattering for experienced sysadmins.
>
> http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci904844,00.html
>
> Except, under #4, it says: "Don't use PHP, even though it's convenient"
>
> And that's ALL he says about PHP.  He doesn't elaborate why he thinks
> PHP is insecure in general.  Sure, you can write insecure PHP scripts,
> but are _all_ PHP scripts insecure as a whole?  Any speculation what he
> might be thinking?
>
> --------------------------------------------
> Bruce Smith                bruce@armintl.com
> System Administrator / Network Administrator
> Armstrong International, Inc.
> Three Rivers, Michigan  49093  USA
> http://www.armstrong-intl.com/
> --------------------------------------------
>
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
>

Previous message: [KLUG Members] Linux Security
Next message: [KLUG Members] Linux Security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]