[Sussex] FW: Important message regarding PHP contact scripts
Jon Fautley
jfautley at redhat.com
Thu Dec 8 12:22:03 UTC 2005
Steve Dobson wrote:
> Guys
>
> This came over the wire today. I post it here so the word gets out.
I would hope that this message doesn't apply to anyone here.
Passing user input straight to a function such as mail(), system() etc?
Jeez...
PHP is becoming the new IIS - people just stick it out there thinking
it'll be secure and safe. It's still a very complex programming
language. While you can often get away with writing crappy code in most
languages - you can't in PHP. *ANYTHING* web-facing should be checked,
rechecked and then checked again. This email is proof of that.
While I'm not overly impressed with PHP's security track record, I can't
help but think that a large number of web-attacks would go away if
people would actually learn to code correctly.
Anyway, I'll stop ranting now... ;)
Jon
--
Jon Fautley <jfautley at redhat.com> direct: +44 1483 739615
Technical Account Manager office: +44 1483 300169
Red Hat UK mobile: +44 7841 558683
10 Alan Turing Road, Surrey Research Park, Guildford GU2 7YF
More information about the Sussex
mailing list