Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: Darren Reed <avalon () caligula anu edu au>
Date: Sun, 25 Jun 2006 08:42:39 +1000 (Australia/ACT)
In some mail from john mullee, sie said:
--- Darren Reed <avalon () caligula anu edu au> wrote:From my own mail archives, PHP appears to make up at least 4% of the email to bugtraq I see - or over 1000 issues since 1995, out of the 25,000 I have saved. People complain about applications like sendmail...in the same period, it has been resopnsible for less than 200. Do we have a new contender for worst security offender ever written ?I guess most of the remaining offending apps were written in C: as much as 96% ?!! (including basically all of microsoft's stuff!!) Surely the least secure language of all time !!! Note also that no vulnerable apps were written in: - cobol, rpg3, prolog, ada, scheme, lisp, pl/1, occam, modula-2, or MIX
But in the 1990s, Java was created. Java applications exist. Java servlets and applets also exist. There have barely a *handful* of JRE/JVM security problems. So the point of this is to say that new, modern, development languages that are secure can be and are being developed and used. That PHP is relatively new with respect to computing and has so many security problems should be an embaressment to its developers and users. Or to put it another way, if there are so many security problems with PHP then the PHP development model or use model needs to be seriously reconsidered and redeveloped such that it is immune to such security issues. This may, of course, mean throwing away PHP and starting over (see C/C++ -> Java). Oh, and btw, you forgot to mention fortran. Darren
Current thread:
- PHP security (or the lack thereof) Darren Reed (Jun 16)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Jessica Hope (Jun 21)
- Re: PHP security (or the lack thereof) Jose Nazario (Jun 17)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) kicktd (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 21)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
- Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- <Possible follow-ups>
- Re: PHP security (or the lack thereof) Steven M. Christey (Jun 17)
- Re: PHP security (or the lack thereof) Alan J Rosenthal (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 23)
- Re: Re: PHP security (or the lack thereof) nabiy (Jun 23)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
- Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)