Full Disclosure mailing list archives

Re: How secure is PHP ?

From: Adam Jacob Muller <adam () gotlinux us>
Date: Tue, 2 Nov 2004 17:01:16 -0500

What you should do, is write a PHP program without looking at thesecurity doc. Then make the final exam to harden that program, they arestudents, make them do the work for you.





Adam

Civil disobedience is not our problem. Our problem is civil obedience.Our problem is that numbers of people all over the world have obeyedthe dictates of the leaders of their government and have gone to war,and millions have been killed because of this obedience. . . Ourproblem is that people are obedient all over the world in the face ofpoverty and starvation and stupidity, and war, and cruelty. Our problemis that people are obedient while the jails are full of petty thieves,and all the while the grand thieves are running the country. That's ourproblem.

-Howard Zinn

On Nov 1, 2004, at 2:05 PM, Gary E. Miller wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Nayana!

On Mon, 1 Nov 2004, Nayana Somaratna wrote:

However, when browsing the web, I found an article which said that "it
requires an expert to lockdown php" (Sorry, but I can't quite recall
the URL).


Saying PHP in insecure is like saying C is insecure.  Until their is

a programmer involved, writing bad code, there is no problem. Justlike

C if the programmer carefully validates and contrains ALL input then
the program is not only secure but robust.

So, I'd like to ask the members of this list - how difficult is it to
secure php ? Do you really need a security "expert" to do this ?


PHP has very good write ups on security in the online doc.  Here is the
chapter:

    http://www.php.net/manual/en/security.php

If you can read, understand and FOLLOW those recomendatins then youare OK.

If not, then get the assistance of an "expert" that does.

RGDS
GARY

----------------------------------------------------------------------------

Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
    gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBhoju8KZibdeR3qURAmzpAJ928ofMk+NqtWLPHNg/FwWQ7HE/UwCfVwpW
eANLHG73S0GOZcgi5zyIVW0=
=VsB9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


!DSPAM:4186a5b6167422090414872!

On Nov 1, 2004, at 2:05 PM, Gary E. Miller wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Nayana!

On Mon, 1 Nov 2004, Nayana Somaratna wrote:

However, when browsing the web, I found an article which said that "it
requires an expert to lockdown php" (Sorry, but I can't quite recall
the URL).

Saying PHP in insecure is like saying C is insecure.  Until their is
a programmer involved, writing bad code, there is no problem.  Just like
C if the programmer carefully validates and contrains ALL input then
the program is not only secure but robust.

So, I'd like to ask the members of this list - how difficult is it to
secure php ? Do you really need a security "expert" to do this ?

PHP has very good write ups on security in the online doc.  Here is the
chapter:

    http://www.php.net/manual/en/security.php

If you can read, understand and FOLLOW those recomendatins then you areOK.

If not, then get the assistance of an "expert" that does.

RGDS
GARY

----------------------------------------------------------------------------

Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
    gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBhoju8KZibdeR3qURAmzpAJ928ofMk+NqtWLPHNg/FwWQ7HE/UwCfVwpW
eANLHG73S0GOZcgi5zyIVW0=
=VsB9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


!DSPAM:4186a5b6167422090414872!



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

How secure is PHP ? Nayana Somaratna (Nov 01)
- Re: How secure is PHP ? ph0enix (Nov 01)
- Re: How secure is PHP ? Gary E. Miller (Nov 01)
  - Re: How secure is PHP ? Dan Margolis (Nov 02)
    - Re: How secure is PHP ? Gary E. Miller (Nov 02)
    - Re: How secure is PHP ? Ron DuFresne (Nov 04)
    - Re: How secure is PHP ? Stefan Esser (Nov 04)
    - Re: How secure is PHP ? Ron DuFresne (Nov 22)
    - Re: How secure is PHP ? Gary E. Miller (Nov 04)
    - Re: How secure is PHP ? Dan Margolis (Nov 11)
  - Re: How secure is PHP ? Adam Jacob Muller (Nov 02)
- Re: How secure is PHP ? Morgan Reed (Nov 02)
- <Possible follow-ups>
- RE: How secure is PHP ? Sandeep Sengupta (Nov 01)
  - Re: How secure is PHP ? Meder Kydyraliev (Nov 01)
- Re: How secure is PHP ? J b (Nov 04)
  - Re: How secure is PHP ? VeNoMouS (Nov 04)
  - Re: How secure is PHP ? Matt (Nov 05)
    - Re: How secure is PHP ? Gary E. Miller (Nov 05)
    - Re: How secure is PHP ? Matt (Nov 05)