[PLUG] PHP verses JSP and servlets...
Steve Beattie
sbeattie at suse.de
Wed Feb 1 18:45:42 UTC 2006
On Thu, Jan 26, 2006 at 09:26:42AM -0800, Kurt Sussman wrote:
> plug_0 at robinson-west.com (plug_0 at robinson-west.com) typed this ...
> > Okay, I hear the PHP has security problems.
>
> No, developers have security problems. The shortest path to a web app in
> any language on any platform is insecure. You can write slow, fragile
> and insecure code in any language. You can write robust and secure code
> in most languages. But it requires planning and thought and experience.
Part of security is dependent on the developers using the language,
but part of it is the language design, whether it makes doing things in
the language securely easy or difficult. Here's a discussion on some of
the poor design decisions the php development team have made, and how
difficult it is for a php author to write secure code:
http://www.greebo.net/?p=320
C is another prime example -- it's possible to write non-stupid code in
C, but the original string library functions made it very easy to make
mistakes (strcpy et al). Even some of the replacement functions are
not that well thought out, people have gotten the length args wrong in
strncpy and it's lack of null termination when truncating is unhelpful.
<troll>
Around 1998 or so, I guessed that soon Perl would replace C as the
security grumble of the day, based on my assumption that most web apps
would be written in Perl. And along came php, completely throwing that
assumption off, by making Perl look good...
</troll>
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20060201/842fe31d/attachment.asc>
More information about the PLUG
mailing list