Re: Current state of PHP security?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-12-04 lech.protean () gmail com wrote:
> I would like to have some small personal webpage with some private
> info.
> With the current state of affairs, I'm afraid to use either any CMS
> nor write the code myself (for fear of now knowing the security
> implications sufficiently).
> What I'd like to have best, would be an XML content stored in
> mySQL/postgres, php would parse it and the output would be, of course,
> XHTML.
> I would need to limit access to some of the information, I don't care
> about any particular technology, be it .htaccess or just a list of
> user in SQL DB.
>
> If I prepare such a solution, is there a chance it will remain secure
> for years to come, with crosssite script popping everyday?

With PHP? Probably not. You may want to read this thread [1] and its
continuation in [2].

> How can I protect myself and remain creative, provided, I only want to
> use OpenSource solutions on a standard web-hosting?

Since you said you said it's going to be a small page: why go to all
that trouble with scripting and DB anyway? Why not just write the pages
as static XHTML (maybe with some SSI) and secure them with .htaccess and
SSL?

[1] http://www.securityfocus.com/archive/1/437446/30/0/threaded
[2] http://www.securityfocus.com/archive/1/438165/30/0/threaded

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------