[ale] Well, this does nothing for the reputation of Linux

Andy Borgmann andy at borgmann.me
Mon Jul 22 12:14:39 EDT 2013


Mike -

Ha.  Loved your post.  Especially the Hitler comment :)  So funny.

"I'm decent with PHP, it's what I do almost all day every day, and I find
new ways to do stupid things with it all the time. Having torn apart a few
PHP frameworks like CodeIgnitor and Kohana, as well as some Ruby on Rails
apps, I think frameworks provide a false sense of security and make it even
easier to do stupid things quickly." - this is why I prefer not to use
Frameworks like CodeIgnitor but do custom coding.  The thought (maybe
wrong), is that hackers look for what is easiest so they will try stuff
that breaks CodeIgnitor and WordPress and phpBB and the like more than
trying to figured out the intricacies of the custom code.

I'll have to look into the Binary injection stuff.  I always just tried the
' OR 1=1' type of stuff to make sure it was secure.  Thanks for that.

*
*
*--*
*Andy Borgmann*

E-mail: andy at borgmann.me
Cell Phone: (404) 492-6527
Personal Website: http://andy.borgmann.me/<http://andy.borgmann.me/?r=email>

"*Preach the Word; be prepared in season and out of season; correct,
rebuke and encourage - with great patience and careful instruction.*" -
2Timothy 4:2


On Mon, Jul 22, 2013 at 11:00 AM, Mike Harrison <cluon at geeklabs.com> wrote:

> I have been following this debate about PHP. To summarize:
>>
>> 1. PHP has some problems that can easily lead to website vulnerabilities
>> if the programmer does not take precautions to prevent. PHP appears to have
>> more of these problems than Python/Django, Ruby on Rails, or .NET. So if
>> you can use something else, this is the preferred route.
>>
>
> You are confusing a language, with a language + framework.
> Frameworks often add some detainting and sanitizing to a language.
> Those features are often bypassed by brogrammers and webdudes..
>
>
>  Also, isn't SQL injection pretty much fixed with Magic Quotes?  I had a
>>>
>>
> Nope. There are so many ways to do "sql injection" and "code injection"
> in ANY language it is almost always possible to find a way it and do
> something stupid. Have you seen the binary injection method with strings
> like 0x... ?? or systems that also use "--" as an SQL delimiter?
> Or just pain stupid code that allows "  '; drop table users ; "
> and people that use phpmysqladmin for database server configurations
> and grant all perms to any user.
>
> PHP is a wonderful "swiss army knife" for web apps... and just like that
> knife, easy to get your fingers pinched, or cut or stabbed.
> As a language, it sucks in many many ways. As a tool, it's very useful.
> Like all tools, you gotta be careful with what you are doing.
> I own a nice chainsaw for small jobs and emergencies... I pay a
> professional to do any serious tree work.
>
> I'm decent with PHP, it's what I do almost all day every day, and I find
> new ways to do stupid things with it all the time. Having torn apart a few
> PHP frameworks like CodeIgnitor and Kohana, as well as some Ruby on Rails
> apps, I think frameworks provide a false sense of security and make it even
> easier to do stupid things quickly.
>
> For example: Frameworks usually attempt to re-invent
> credential/authentication methods with some magic cookie / session kludge
> instead of using what has been built into the web and browsers since the
> old codger days. And most of them don't check the embedded components for
> any auth past the first page. ie; once you have a valid cookie, it all
> works until that cookie expires, and many things don't even check for the
> cookie.
>
> This is a religious argument, lets cut straight to the inevitable
> end result:  What langauge would Hitler have coded in?
>
> Going back to work..
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ______________________________**_________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/**listinfo/ale<http://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/**listinfo<http://mail.ale.org/mailman/listinfo>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/e843a9b3/attachment-0001.html>


More information about the Ale mailing list