Vulnerability Development mailing list archives
Re: CGI scripts in sh
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Fri, 22 Sep 2000 10:35:47 +0800
At 12:45 AM 21-09-2000 +0200, Crypteria wrote:
I got a question concerning CGI scripts, i've been told that sh scripts are way more insecure than perl or c/c++ scripts. I find great to use the power of shell scripting and the ability to use commands in scripts and I just wondered why they could be more insecure ? After all, a good shell scripts can be flawless just as a bad perl script can be dangerous...
True, shell scripts can be flawless and bad perl scripts can be dangerous. However: Which languages are more suitable for what you are trying to do? Which of those languages are you good at, and can code safely in? In my case, I can't code safely in C - it feels like crawling through a minefield and looking for mines. C++ is much better, but it still gets dangerous when you have to reenter the C minefield areas! I find Perl (like many other scripting languages) so much easier- you can strip nasty stuff off easily. It can also cope with most inputs so you can read long strings in, and then truncate or complain. I'm not so comfortable dealing with hostile stuff when using shell scripts. Whereas with C, you can think you're writing something to deal with extraordinary input, but before your 3rd line you may already be dead. C is like a sharp double edged sword, no handle :). C++ is like a sharp double edged sword with a removable handle - and sometimes you need to remove the handle to use it. Yes it's object oriented ;). Perl is like a swiss army knife. There are lots of blades for doing different stuff, slicing, dicing and even writing poetry and then killing yourself. Almost any idiot can use a swiss army knife (and lots do ;) ). Java is like a somewhat sharp space-age plastic sword. Yes, there's a handle, and no, you can't remove it. Tons of people are being certified to use it. Assembler: chainsaw, no handles. Machine code: chainsaw, no handles, blindfolded. Erm I better stop now.. :) Cheerio, Link.
Current thread:
- IP Spoofing with DHCP ? Skreel (Sep 17)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 18)
- Re: IP Spoofing with DHCP ? Alon Oz (Sep 18)
- Re: IP Spoofing with DHCP ? Nathan Einwechter (Sep 19)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Mark Rafn (Sep 21)
- Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
- Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Crispin Cowan (Sep 21)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 28)