[PLUG] PHP verses JSP and servlets...
Kurt Sussman
plug at merlot.com
Fri Feb 3 22:11:13 UTC 2006
Steve Beattie (sbeattie at suse.de) typed this ...
> On Thu, Jan 26, 2006 at 09:26:42AM -0800, Kurt Sussman wrote:
> > plug_0 at robinson-west.com (plug_0 at robinson-west.com) typed this ...
> > > Okay, I hear the PHP has security problems.
> >
> > No, developers have security problems. The shortest path to a web app in
> > any language on any platform is insecure. You can write slow, fragile
> > and insecure code in any language. You can write robust and secure code
> > in most languages. But it requires planning and thought and experience.
>
> Part of security is dependent on the developers using the language,
> but part of it is the language design, whether it makes doing things in
> the language securely easy or difficult. Here's a discussion on some of
> the poor design decisions the php development team have made, and how
> difficult it is for a php author to write secure code:
>
> http://www.greebo.net/?p=320
Please note that while PHP is used as an example in this posting, the
same points could be made about almost any language in which web apps
can be built. Isn't formmail.cgi a Perl script? Google for "formmail.cgi
spam" when you have a minute.
PHP makes it easy for coders to make something that sort of works (but
is horribly insecure). Perl has a higher barrier to entry, but that
doesn't mean that people can't write insecure CGI scripts in Perl.
I stand by my original assertion:
No, developers have security problems.
--Kurt
--
----------------------------------------------------------------------
Merlot Research Group, Inc http://www.merlot.com
kls[at]merlot.com GPG key 82505A74 Jabber: MerlotQA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20060203/751dc4ad/attachment.asc>
More information about the PLUG
mailing list