RE: Anyone have some basic security tips for PHP-programmers?

["Herbold, John W." <JWHERBOLD () arkbluecross com>]

> First of all, PHP is a scripting language with built-in overflow checking.

But is it good enough to trust?  I am guessing no, from the other post I
have seen.  My point still stands.  Do your own error checking.

> but PHP is NOT vulnerable to buffer overflows from PHP scripts

A quick search on Goggle for "PHP buffer overflow" shows otherwise.

> Second of all, PHP is a scripting language (heard it before?), which 
> means that the code doesn't GET compiled at all. It gets interpreted at 
> run-time by a parsing engine, just like any other scripting language.

While I have not done very much PHP at all, I have done a lot of Perl.
Perl, is also a "scripting language", and it can get compiled to EXE, so I
would be willing to bet PHP can as well.  Just because it is a scripting
language does not mean that it can not compile to an exe.

A quick search on goggle for "PHP to EXE" shows that yes, it can be compiled
to an EXE.

The memory comment goes with running the website off of a CD-Rom, yea it is
a performance issue, but tied to a security issue.  While there are many
ways to deface a website, this would stop some of the most common ways.  The
idea of security is defense in depth.  Nothing is 100% secure, and there is
no one fix, so you add layers to weed out different attacks.  It is up to
you to balance the security, cost, and usability.  Another standard
suggestion is to get rid of any "example" scripts that came with your web
server and languages, as they are another common entry point.

Thanks,

John W. Herbold Jr.
Security Specialist