[KLUG Members] Linux Security
Adam Williams
members@kalamazoolinux.org
06 Jun 2003 11:12:25 -0400
> I've never heard PHP is any less secure than any other server-based programming language for the
> web. Security problems arise because the programmer doesn't consider how capable the program
> can be. The writer is probably arguing ("thinking" would be too generous a word) from a
> sysadmin's perspective, not a programmer. Note he says: "Many programmers don't know secure
> programming techniques."
I know alot of programmers who don't know "programming techniques" let
alone anything about security.
> Because you can't prevent the programmer from writing bad programming, he only wants them to use
> crippled programs. PHP is too -powerful- a tool for him to grant it to the programming peons.
> So, "let 'em eat cake."
PHP only supports the modules you enable, so one has direct control over
its level of functionality.
It could be he is just opposed to the use of DSO modules of any sort,
PHP bieng by far the most common. I've heard arguments here and there
that executing any code inside the webserver is just a bad idea. It
seems a bit crumungeonly to me, especially if the webserver is
executing within its own security context (not-root).
> I doubt he's really all that familiar with it simply because he's a sysadmin, not a programmer.
> The only virtue he really knows about PHP is "convenience." He doesn't mention dynamic
> websites, database interaction, or any data manipulation at all. How does he get websites to
Hey, but all those are *SO* convenient!
> communicate with each other? Parse and create XML? Handle uploads? Make calendars, PDFs,
> XLSs, sessions, CC transactions, etc., etc. The list goes on and on. Note he assumes CGI,
> which, on the web, can grant higher access than PHP run as a module,
Amen. I hate CGIs, and I AM an administrator.
> takes more resources, and
> is an overall kludge in comparison. I think his issue with PHP is due to unfamiliarity and fear
> of its power. It's not clear he is aware of what websites do today or how he would replicate
> such capabilities with other means.
His article is published on a dynamic interactive web site.
And one running IIS & ASP!!! Pphhhffttt..