[Sussex] FW: Important message regarding PHP contact scripts

Jon Fautley jfautley at redhat.com
Thu Dec 8 12:22:03 UTC 2005


Steve Dobson wrote:
> Guys
> 
> This came over the wire today.  I post it here so the word gets out.

I would hope that this message doesn't apply to anyone here.

Passing user input straight to a function such as mail(), system() etc? 
Jeez...

PHP is becoming the new IIS - people just stick it out there thinking 
it'll be secure and safe. It's still a very complex programming 
language. While you can often get away with writing crappy code in most 
languages - you can't in PHP. *ANYTHING* web-facing should be checked, 
rechecked and then checked again. This email is proof of that.

While I'm not overly impressed with PHP's security track record, I can't 
help but think that a large number of web-attacks would go away if 
people would actually learn to code correctly.

Anyway, I'll stop ranting now... ;)

Jon
-- 
Jon Fautley <jfautley at redhat.com>     direct: +44 1483 739615
  Technical Account Manager            office: +44 1483 300169
  Red Hat UK                           mobile: +44 7841 558683
  10 Alan Turing Road, Surrey Research Park, Guildford GU2 7YF




More information about the Sussex mailing list