[HLUG] archiving software

Julian Robbins joolsr at fastmail.fm
Sat Jan 5 18:20:50 GMT 2008 

Mark Broadbent wrote:
> On 05/01/2008, Alex Mace <alex at hollytree.co.uk> wrote:
>> Ahem, to my mind something being written in Python does not make it
>> more secure than something PHP, it's down to the programmer to
>> remember to properly filter input, encode output rather than the
>> language itself. PHP is an easy language to pick up which means that
>> you get a lot of programmers who don't know what they are doing. The
>> language itself is not a measure of security.
> 
> I would completely agree with that, no language I know of will protect
> you from things like cross-site scripting and SQL injection attacks.
> It's all down the the programmer at the end of the day.  I remember
> reading a few months ago about a university that had produced an app
> that could check you're PHP code and tell the user where
> untrusted/external data was being being passed to db functions or
> output to the end user.  It only supports PHP 4 though which was a bit
> of a stumbling block for me.

All true, but I do agree with Richard that PHP web scripts do seem to 
show more security vulnerabilities than python based ones.

Have a look at secunia.com for Plone and Joomla (an example of a well 
known well crafted PHP web CMS).

Plone :- 3 security vulnerabilities, from 2003 -2008 
http://secunia.com/product/9334/?task=statistics
Joomla :- 12 security vulnerabilities from 2003 - 2008 
http://secunia.com/product/5788/?task=statistics

(Both have been around since ~2005, (although Plone 3 (not shown above 
was released in Late 2007).

I know this isn't very representative, but I do believe that PHP coded 
sites do seem to be a bit more prone to security issues.. and the info 
above does tend to bear this out. 4 times more vulnerabilities for 
Joomla (PHP) than Plone (Python).

Just for interest, I also checked out Zope, the application 
server/database that Plone runs on (also written in Python); 5 issues 
since 2004. not bad at all. For interest, MySQL4, had 21 vulnerabilities 
(!), in a similar period. MySql isnt written in PHP I know, but it 
demonstrates that a Joomla/MySQL server combination against a Plone/Zope 
web server one had 33 against 8 vulnerabilities, quite a big difference 
I think.

Julian


> 
>> I am a PHP programmer though, so I would say that...
> 
> I program in all sorts of languages but the security principles of all
> are the same. sanitise your input and careful with what you output.
> 
> Thanks
> Mark
> 
>> On 4 Jan 2008, at 21:17, Richard Smedley wrote:
>>
>>> On Fri, 2008-01-04 at 20:46 +0000, George at dicegeorge.com wrote:
>>>> i am looking for some software
>>>> to index Jeremy Sandford's
>>>> writings and paintings and tapes and books
>>>> and publications...
>>>>
>>>> www.jeremysandford.org.uk
>>>>
>>>> id like it to be open source
>>>> and to work on windows and linux,
>>>> and to have a support network
>>>>
>>>> does anyone have any clues
>>>> to help me on my search?
>>> Hello George,
>>>
>>> It would be good to be clear about how much content you have, in
>>> what form, and how you'd like it published and accessible.
>>>
>>> However, the answer is still likely to be Plone :-)
>>> Plone is a content management system (CMS) most often used
>>> to publish to the web - though it can be used to publish content
>>> to other formats. It is popular, well-supported, and adaptable.
>>>
>>> Plone is Free Software, accessible to anyone with a web browser,
>>> and - as it is written in Python - heir to few of the security
>>> horrors of many PHP web solutions.
>>>
>>> Let me know if you'd like some help with this.
>>>
>>> Regards,
>>>
>>> - Richard
>>>
>>> --
>>> Richard Smedley,                                          rs at m6-it.org
>>> Technical Director,                                      www.M6-IT.org
>>> M6-IT CIC                                         +44 (0)779 456 07 14
>>>
>>> Sustainable Third Sector IT solutions. PRINCE2 [TM] Project Management
>>> Training * Certification * Support * Networking * Web * Database * CRM
>>>
>>> M6-IT is a Community Interest Company, limited by guarantee.
>>> Registered in England & Wales,                Registration No: 6040154
>>> 11 St Marks Road, Stourbridge, West Midlands, DY9 7DT
>>>
>>>
>>> Northern Office:       4, Hollins Green, Bradwall, Cheshire, CW10 0LA.
>>>
>>> Welsh office/ Swyddfa Gogledd Cymru: e-mail / e-bost - cymru at m6-it.org
>>>
>>> Southern Office: Bristol                     contact matthew at m6-it.org
>>>
>>>
>>>
>>>
>>> --
>>> Herefordshire LUG mailing list
>>> Web:  http://www.herefordshire.lug.org.uk
>>> List: https://mailman.lug.org.uk/mailman/listinfo/herefordshire
>>
>> --
>> Herefordshire LUG mailing list
>> Web:  http://www.herefordshire.lug.org.uk
>> List: https://mailman.lug.org.uk/mailman/listinfo/herefordshire
>>
>

More information about the Herefordshire mailing list