[ale] Seven Deadly Sins - PHP

Frank Zamenski fzamenski at voyager.net
Tue Jun 10 21:05:41 EDT 2003



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Our own Bob Toxen spoke on the seven deadly sins of Linux
> security at the Linux Forum last week in Santa Clara, Calif.
> A new story on his talk is available at:
> 
<http://searchenterpriselinux.techtarget.com/originalContent/0,289142,si
d39_gci904844,00.html>
> 
> and if that doesn't work, try this link:
> 
> <http://makeashorterlink.com/?R2FE121E4>
> 
> 
> Interesting read.
> 
> Sean
> 

Thanks for that, it was interesting. (BTW, I had to use the 
makeshorterlink). Please pardon my appending the original subject line, 
I'm hoping to generate some discussion (well, except I'll just be 
reading it).

The PHP part in "Deadly sin No. 4" caught my attention: 

"On Toxen's "don'ts" list: Don't use PHP, even though it's convenient."
 
I've read this list long enough to recognize that Bob Toxen is a pro's 
pro, and when I see statements like that coming from him, I get 
paranoid. I'm a Solaris SA responsible for several webservers, and not 
a programmer by any stretch, but we've web developers that seem to be 
embracing PHP with unbridled passion. As such, I'm beginning to feel 
like I'm sitting on the systems sidelines wondering what the heck is 
going on here? What is it's utility (or fasination?) that seems to make 
this the web dev tool of the year? Questions:

1). is PHP just bad programming practice in general? (and if so, what 
could or should be used instead?)
2). what kinds of admin headaches am I opening myself up for, anyway?
3). related... what should I be looking for in system and web portal 
logs, especially in terms of attacks?

I guess what I need is a good primer on this stuff, like a 'What Every 
SA Must Know About PHP', if you will.

4). any recommedations for a quick, yet thorough, PHP read?

I've also become acutely aware as of late that this stuff seems to be 
very buggy in general, and seems to also be causing headaches for the 
developers in no predictable manner. In short, it likes to crash, and 
I'm being enlisted more and more to assist in running Solaris 
diagnostics on this stuff (for what good it seems to be doing so far), 
and in playing with ulimits, and frankly, I don't think anyone has a 
clue (and I know I don't).

5). soliciting anybody elses experience(s)?
6). open for anything else....

I've been to the PHP website also. The issues people are having with 
this are just short of stunning.

Thanks.
fgz


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list