Re: Secure Coding for Newbies?

[Michael R.Bagnall <mike () powertools net>]

I really don't think that this list is the place to debate what is a 
"good" or a "bad" language for web applications. I've been writing web 
applications in perl for years and have been able to do many things 
that people writing in other languages either could not, or have not 
done. The point of the post was to get information on the best and most 
secure ways to write code in PHP.... editorializing really isn't the 
point here.

For whatever it's worth...


On Monday, Oct 28, 2002, at 09:31 US/Central, Kevin Spett wrote:

> Well, to start with, I think Perl is a bad language for web 
> applications,
> and I think PHP is truly terrible.  There are serious design flaws in 
> PHP
> (such as giving the client access to all variables) and that coding in 
> it
> securely is annoying enough to make it not worthwhile.  In addition, it
> looks bad.  You've got HTML, JavaScript, application code and database 
> code
> all in a single document, which is no fun at all.  Using JSP/XSLT, 
> servlets
> and Java beans is a much nicer solution from many angles.
>
> But hey, if you want an easy-to-read guide to secure PHP programming, 
> check
> this out: http://www.zend.com/zend/art/art-oertli.php
>
>
>
> Kevin Spett
> SPI Labs
> http://www.spidynamics.com/
>
> ----- Original Message -----
> From: "Joe User" <joeuser () blazemail com>
> To: <webappsec () securityfocus com>
> Sent: Monday, October 28, 2002 6:03 AM
> Subject: Secure Coding for Newbies?
>
>
> > Hi,
> >
> > I'm a beginner in PHP and Perl coding and would like a little help!  
> > I've
> written a few small scripts for personal use, but I want to start 
> writing
> scripts that will be used by / open to the public, and want to write 
> them
> with security in the forefront.
> > I'm having a hard time finding specific, concrete examples of common
> webapp security problems and examples of how to avoid them.  Many 
> sites say
> "validate user input" or "avoid path traversal" or "beware of include 
> files"
> but don't give good examples of *how* I'm supposed to do these things!
> > I guess I'm looking for something along the lines of "Webapp Security 
> > for
> Dummies" as a building block.  Can anybody point to useful resources 
> for
> this?  The OWASP guide seems to be more of a guide for competent 
> coders who
> already know how to avoid the problems listed.  :)
> > Thanks!
> >
> > _____________________________________________________________
> > Fight the power!  BlazeMail.com
> >
> > _____________________________________________________________
> > Select your own custom email address for FREE! Get you () yourchoice com 
> > w/No
> Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
> >

Thanks;
Michael R. Bagnall
Powertools Productions, LLC.
mbagnall () powertools net / http://www.powertools.net
(615) 453-1141 / (800) 444-1563