Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding
From: "M. Buchzik" <Michael () buchzik de>
Date: Wed, 03 Dec 2003 17:35:17 +0000
Hi, now I'm getting interested ;) Bob Toxen wrote: I've read about so many security bugs in php (as compared to, say, C or perl) that I recommend that my clients do not use it. "But it's so easy." Do you mean security flaws in applications (e.g. like the "never ending story" of phpnuke) or php itself? There have been lots of updates of php since, but when compared to perl, you might also count security flaws in perl modules like in CGI.pm lately (since most enhancements in php are built in as 'extensions' and 'count' to php). ( http://www.securityfocus.com/archive/1/330101 ) To quote you (or your customers), in my opinion php is _too_ easy! The effect? Too many people start through in programming and so are causing these negative side effects (and that's just it): - a webserver gets compromised (directory traversal, data access) - a database gets crashed (sql injection) - the whole appication gets compromised ( http://www.php.net/manual/en/security.registerglobals.php ) - A client of the application gets compromised (XSS) - Spam gets set free to the world's mailboxes But IMHO this is all up to the programmer and not the coding language itself (sorry, i can't say anything about shell scripting like bash or tcsh, since my level there is just enough to create an init script). This all can also happen with other programming languages! (example: formmail.cgi|pl , or Java http://www.securityfocus.com/archive/1/340366 ) (I've heard something about java webstart lately, but can't find it in moment) Methods of taint checking are nearly equal in php an perl ( e.g. http://www.php.net/manual/en/ref.pcre.php or http://www.php.net/manual/en/function.is-numeric.php ) (have a look at the first comment on is_numeric()!). For example, with this funcion I would feel absolutely secure: if (is_numeric($_GET['count'])) { // Insert $_GET['count'] into Database ... // alternatives: is_int(), is_float(), ... what ever needed } Unfortunately, the most often found function in the web would look like this: if ($count) { // Insert my sql injection ... } But your opinion to "avoid all scripting languages" is an interesting one ;) Isn't it just the compile _time_ the difference between "interpreted" and "compiled" programming languages? But what I'm missing, is a code analyzer to report possible security flaws in php or perl ... Greetings, Michael Buchzik
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)