Month of PHP Bugs Has Begun - Slashdot

Catch up on stories from the past week (and beyond) at the Slashdot story archive

×

Month of PHP Bugs Has Begun 165

Posted by Zonk on Saturday March 03, 2007 @02:28PM from the quick-hide-the-furniture dept.

An anonymous reader writes "The previously announced Month of PHP Bugs started three days ago, and already lists 8 security vulnerabilities in PHP and PHP related software. From the site: 'This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team.'"

This discussion has been archived. No new comments can be posted.

Month of PHP Bugs Has Begun

Search 165 Comments Log In/Create an Account

Comments Filter:

Re:Defective by Design? (Score:3, Insightful)

by julesh ( 229690 ) writes: on Saturday March 03, 2007 @02:51PM (#18219280)

Uhmm, you are aware that all the phpBB forums out there use unserialize() on cookie data?

No, I wasn't. One more reason not to use phpBB, I guess.

Parent Share
twitter facebook
PHP taint what it should be (Score:2, Insightful)

by atherix ( 1071036 ) writes: on Saturday March 03, 2007 @04:15PM (#18219946)

We see a lot of people use the phrase "defective by design" when talking about Vista and in that instance I'm pretty sure the use of the term is correct. Having never used PHP but heard of its many security problems I'm wondering: Is PHP defective by design?

Maybe. PHP is a wonderful interpreted language that makes creating a web application easy. The biggest problem with PHP are the entry-level programmers who don't understand the beast that is web programming.

Many PHP programmers don't understand the number one rule of secure web programming: All user data is evil. Anything that comes from an HTTP request can not be trusted. Heck, I don't trust it even after it has been stored in a database table or the file system. I would love to see a Perl-ish taint mode built into PHP that tells the programmer "This data has come from an insecure source. Please don't eval() it or unserialize() it or write it to disk. Cheerio."

Share
twitter facebook
Be Prepared? (Score:2, Insightful)

by Mikenotmike ( 956042 ) writes: on Saturday March 03, 2007 @04:16PM (#18219950)

Since properly coded PHP is still useful in many applications, what would be the best book to use as an up to date reference manual for the most secure method of coding with it?

Share
twitter facebook
Re:Defective by Design? (Score:5, Insightful)

by Dan Ost ( 415913 ) writes: on Saturday March 03, 2007 @04:26PM (#18220070)

Actually, lots of people have abandoned PHP for Python and Ruby.

It may never completely go away, but there are alternatives to using it.

Parent Share
twitter facebook
Re:Be Prepared? (Score:2, Insightful)

by brezel ( 890656 ) writes: on Saturday March 03, 2007 @07:32PM (#18221460) Homepage

but from what I understand PHP does the whole ajax thing in a more fluid manner, is this incorrect?
yes. php has nothing to do with javascript.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

321 commentsShould a Variable's Type Come After Its Name?
293 commentsAre Scrums a Cancer?
258 commentsC++ Creator Rebuts White House Warning
228 commentsWhite House Urges Devs To Switch To Memory-Safe Programming Languages
226 comments34% of AP CS Students Couldn't Solve This Java-Based 2D Array Question

8 Catfish = 1 Octo-puss