lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: 21 Jun 2006 23:52:47 -0000
From: nabiy@...mail.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: PHP security (or the lack thereof)


Trying to make the language 'safe' won't fix it because the language is not the problem. The real problem is the way PHP is presented to most new developers.

PHP has been introduced as a tool for the web developer. As a language its goal is "to allow web developers to write dynamically generated pages quickly." (  http://www.php.net/manual/en/faq.general.php ). The focus then is to enable the web developer by giving him the tools he needs to create dynamic content, with as little hassle as possible. The web developer need only read a short tutorial ( http://www.php.net/manual/en/tutorial.php ) and he is ready to read, understand and implement the ideas presented in the various example scripts on PHP.net. Unfortunately this situation leaves the web developer uninformed and unprepared to face the hostile environment that is the net.

the only real solution is to change the way the language is presented to new developers. It must be presented in a manner that increases the awareness of the developer so that he able to deploy his application in a safe manner. This means that security needs to be taught from the beginning rather than as a footnote, especially on sites where authoritative teaching is given ( such as PHP.net ). - nabiy


Powered by blists - more mailing lists