Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: Matthias Kestenholz <lists () spinlock ch>
Date: Mon, 26 Jun 2006 19:32:55 +0200
* Geo. (geoincidents () nls net) wrote:
..."The configuration flexibility of PHP is equally rivalled by the code flexibility. PHP can be used to build complete server applications, with all the power of a shell user, or it can be used for simple server-side includes with little risk in a tightly controlled environment. How you build that environment, and how secure it is, is largely up to the PHP developer."And is the default install wide open or tightly controlled? I mean from a security standpoint we have been screaming for years at Microsoft to change their defaults to firewall on and things locked instead of open. Is php secure by default when it's installed on a server?
This question does not really have any meaning. If you ask, if php _applications_ are secure by default, the answer is of course "it depends" (most php applications are broken. Just do a "grep -R eval ." and see for yourself) The php safe_mode is not really safe. magic_quotes_gpc is broken by design. Where does that leave us? Write secure code, validate all input or get hacked, as is the case with every other software/language.
Current thread:
- Re: PHP security (or the lack thereof), (continued)
- Re: PHP security (or the lack thereof) Geo. (Jun 23)
- Re: Re: PHP security (or the lack thereof) nabiy (Jun 23)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
- Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
- Re: PHP security (or the lack thereof) Glynn Clements (Jun 27)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 26)
- Re: PHP security (or the lack thereof) Paul Schmehl (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 28)
- Re: PHP security (or the lack thereof) Matthias Kestenholz (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 27)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Mrten (Jun 26)