| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <B81727F4-2D1A-11D9-A480-000D93C20BB0@gotlinux.us> From: adam at gotlinux.us (Adam Jacob Muller) Subject: How secure is PHP ? What you should do, is write a PHP program without looking at the security doc. Then make the final exam to harden that program, they are students, make them do the work for you. Adam Civil disobedience is not our problem. Our problem is civil obedience. Our problem is that numbers of people all over the world have obeyed the dictates of the leaders of their government and have gone to war, and millions have been killed because of this obedience. . . Our problem is that people are obedient all over the world in the face of poverty and starvation and stupidity, and war, and cruelty. Our problem is that people are obedient while the jails are full of petty thieves, and all the while the grand thieves are running the country. That's our problem. -Howard Zinn On Nov 1, 2004, at 2:05 PM, Gary E. Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yo Nayana! > > On Mon, 1 Nov 2004, Nayana Somaratna wrote: > >> However, when browsing the web, I found an article which said that "it >> requires an expert to lockdown php" (Sorry, but I can't quite recall >> the URL). > > Saying PHP in insecure is like saying C is insecure.? Until their is > a programmer involved, writing bad code, there is no problem.? Just > like > C if the programmer carefully validates and contrains ALL input then > the program is not only secure but robust. > >> So, I'd like to ask the members of this list - how difficult is it to >> secure php ? Do you really need a security "expert" to do this ? > > PHP has very good write ups on security in the online doc.? Here is the > chapter: > > ? ? http://www.php.net/manual/en/security.php > > If you can read, understand and FOLLOW those recomendatins then you > are OK. > If not, then get the assistance of an "expert" that does. > > RGDS > GARY > - > ----------------------------------------------------------------------- > ---- > Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 > ? ? gem@...lim.com? Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQFBhoju8KZibdeR3qURAmzpAJ928ofMk+NqtWLPHNg/FwWQ7HE/UwCfVwpW > eANLHG73S0GOZcgi5zyIVW0= > =VsB9 > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > !DSPAM:4186a5b6167422090414872! > On Nov 1, 2004, at 2:05 PM, Gary E. Miller wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Nayana! On Mon, 1 Nov 2004, Nayana Somaratna wrote: However, when browsing the web, I found an article which said that "it requires an expert to lockdown php" (Sorry, but I can't quite recall the URL). Saying PHP in insecure is like saying C is insecure.? Until their is a programmer involved, writing bad code, there is no problem.? Just like C if the programmer carefully validates and contrains ALL input then the program is not only secure but robust. So, I'd like to ask the members of this list - how difficult is it to secure php ? Do you really need a security "expert" to do this ? PHP has very good write ups on security in the online doc.? Here is the chapter: ? ? http://www.php.net/manual/en/security.php If you can read, understand and FOLLOW those recomendatins then you are OK. If not, then get the assistance of an "expert" that does. RGDS GARY - ------------------------------------------------------------------------ --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 ? ? gem@...lim.com? Tel:+1(541)382-8588 Fax: +1(541)382-8676 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBhoju8KZibdeR3qURAmzpAJ928ofMk+NqtWLPHNg/FwWQ7HE/UwCfVwpW eANLHG73S0GOZcgi5zyIVW0= =VsB9 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html !DSPAM:4186a5b6167422090414872!
Powered by blists - more mailing lists