On Thu, Jun 19, 2003 at 07:20:37PM -0500, David Phillips wrote: > Oh, it's ok then, because everything has security holes. Gee. > > It's not difficult to write a nice message board that doesn't have security > holes, especially in a language like PHP. I wrote a good one about three > years ago (clone of Allaire Forums). Perhaps I should tidy it up and > release it as open source. > > If you have security holes in your PHP application, then you're doing > something seriously wrong, and should learn about basic security before > attempting writing web applications. Most people using PHP do so because they wanted to learn the easiest thing out there, and they heard PHP was it. These people have no idea what security is, or how anything really works, this is why I'm skeptical about anything written in PHP. Sometimes the security hole is in PHP itself, and is exploited via your 'program' due to it using whatever function is vulnerable. Just like Apache can have an exploit due to a bug in openssl, or strace can have an exploit because of a bug in the kernel. Programs rely on libraries and the kernel itself, you can't guarantee anything unless you know every bit of code your program intereacts with or depends on is bug free. There are also circumstances where something that was once fine becomes a 'bug' due to new functionality(or bugs) added elsewhere (see above) As for your PHP message board, If you have it running on the same system it was 'about three years ago' then it's vulnerable. You must be doing something seriously wrong, and should learn some basic security before attempting writing web applications. strcpy and gets were once considered fine functions as well. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list