Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Securing PHP or finding PHP alternatives
From: Crispin Cowan <crispin () novell com>
Date: Mon, 10 Jul 2006 10:37:16 -0700

Gezim Hoxha wrote:
With all that's been said in this thread, and all that has been observed
(i.e. a large number of PHP vulnerabilities--please don't try and defend
this; the common thing that everyone agrees on is that PHP tries to
cater to all users (not necessarily programmers, which can make it
insecure), I'm going to ask two questions:

1.) If I have to write PHP, how do I write secure PHP? Give me a number
of ensures that I can follow and check-mark each and live a happy
life--for the most part.
Program defensively:

    * validate all inputs
          o use a white-list, not a black-list
    * check all parameters
    * check all return/error codes
    * handle all exceptions

Test your system:

    * check for SQL injection vulnerabilities
    * check for XSS

Wrap it in AppArmor http://en.opensuse.org/AppArmor for when you screw
up ^W^W don't do all the above perfectly.

2.) From a security standpoint what is a better, open-source replacement
to PHP?
Ruby, Python, Java, C#, all of which are type safe, and therefore much
more secure. All have open source implementations, including C#


Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
     Necessity is the mother of invention ... except for pure math

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]