Security Basics mailing list archives
Re: Current state of PHP security?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 4 Dec 2006 21:39:29 +0100
On 2006-12-04 lech.protean () gmail com wrote:
I would like to have some small personal webpage with some private info. With the current state of affairs, I'm afraid to use either any CMS nor write the code myself (for fear of now knowing the security implications sufficiently). What I'd like to have best, would be an XML content stored in mySQL/postgres, php would parse it and the output would be, of course, XHTML. I would need to limit access to some of the information, I don't care about any particular technology, be it .htaccess or just a list of user in SQL DB. If I prepare such a solution, is there a chance it will remain secure for years to come, with crosssite script popping everyday?
With PHP? Probably not. You may want to read this thread [1] and its continuation in [2].
How can I protect myself and remain creative, provided, I only want to use OpenSource solutions on a standard web-hosting?
Since you said you said it's going to be a small page: why go to all that trouble with scripting and DB anyway? Why not just write the pages as static XHTML (maybe with some SSI) and secure them with .htaccess and SSL? [1] http://www.securityfocus.com/archive/1/437446/30/0/threaded [2] http://www.securityfocus.com/archive/1/438165/30/0/threaded Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Current state of PHP security? lech . protean (Dec 04)
- Re: Current state of PHP security? Ansgar -59cobalt- Wiechers (Dec 06)