Slashdot Mirror

← Back to Stories (view on slashdot.org)

Choice of Programming Language Doesn't Matter For Security

Posted by Soulskill on from the obvious-things-your-boss-doesn't-understand dept.

An anonymous reader writes "The Security Ninja has written a blog post which discusses web programming languages and the fact that they are all insecure. It's based on a report from WhiteHat Security and aims to dispel the myth that some languages will guarantee that an application will be more or less secure than other languages. '... secure code is the product of a secure development process and real business commitment to deliver secure applications which includes developer education. The absence of these processes and business commitments will lead to web applications being developed insecurely regardless of the language being used.'"

1 of 192 comments (clear)

  1. Re:Everybody hatin' on PHP by wmbetts · · Score: 4, Informative

    Changes in PHP 6
    Issue: Register globals are the source of many application's security problems and cause a constant grief.

    Discussion: We shortly discussed how we want to attend users on the disappearance of this functionality. We decided that if we find the setting during the startup of PHP we raise an E_CORE_ERROR which will prevent the server from starting with a message that points to the documentation. The documentation should explain why this functionality was removed, and some introduction on safe programming.

    Conclusions:

    We are going to remove the functionality.
    We throw an E_CORE_ERROR when starting PHP and when we detect the register_globals setting

    http://www.php.net/~derick/meeting-notes.html#id12

    Issue: Magic_quotes can be cumbersome for application developers as it is a setting that can be set to on or off without any influence from within the script itself as input parameters are escaped before the script starts.

    Discussion: In the same way as with the remove of the register_globals functionality, we decided that if we find the setting during the startup of PHP we raise an E_CORE_ERROR which will prevent the server from starting with a message that points to the documentation. The documentation should explain why this functionality was removed, and point the users at the input_filter extension as replacement.

    Conclusions:

    We remove the magic_quotes feature from PHP.
    We throw an E_CORE_ERROR when starting PHP and when we detect the magic_quotes, magic_quotes_sybase or magic_quotes_gpc setting.

    http://www.php.net/~derick/meeting-notes.html#id13

    They are also planning on getting rid of the non-PDO db stuff at a future date.

    --
    "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware