Gezim Hoxha wrote:
> With all that's been said in this thread, and all that has been observed
> (i.e. a large number of PHP vulnerabilities--please don't try and defend
> this; the common thing that everyone agrees on is that PHP tries to
> cater to all users (not necessarily programmers, which can make it
> insecure), I'm going to ask two questions:
>
> 1.) If I have to write PHP, how do I write secure PHP? Give me a number
> of ensures that I can follow and check-mark each and live a happy
> life--for the most part.
>
Program defensively:

* validate all inputs
o use a white-list, not a black-list
* check all parameters
* check all return/error codes
* handle all exceptions

Test your system:

* check for SQL injection vulnerabilities
* check for XSS

Wrap it in AppArmor http://en.opensuse.org/AppArmor for when you screw
up ^W^W don't do all the above perfectly.

> 2.) From a security standpoint what is a better, open-source replacement
> to PHP?
>
Ruby, Python, Java, C#, all of which are type safe, and therefore much
more secure. All have open source implementations, including C#
http://www.mono-project.com/Main_Page

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Necessity is the mother of invention ... except for pure math

[ reply ]