Python or PHP?
Tim Tyler
tim at tt1lock.org
Sun Apr 24 05:03:26 EDT 2005
Mage <mage at mage.hu> wrote or quoted:
> Tim Tyler wrote:
> >Mage <mage at mage.hu> wrote or quoted:
> >>check this: http://wiki.w4py.org/pythonvsphp.html
> >
> >Good - but it hardly mentions the issue of security - which seems
> >like a bit of a problem for PHP at the moment.
>
> I don't think so. Bad programmers are able to write bad programs in any
> language. Maybe there are more bad php programmers than python
> programmers and the 70% of the dynamic world wide web is copied from
> user comments in the php.net/manual. However one of the worst cases is
> the sql injection attack. And sql injections must be handled neither by
> php nor by python but by the programmer.
SQL injection "only" gives you access to the database and its contents.
A bigger problem in practice for PHP at the moment is the way
fopen can allow access to the entire filing system.
That does things such as allowing trivial programming mistakes to expose
the unix password file to attackers - exposing not just the particular
site's database - but all users on the maching (on machines not using
shadow passwords) with passwords subject to dictionary and brute force
attacks.
The current defense involves switching off fopen - but unfortunately,
that rather cripples many PHP programs.
--
__________
|im |yler http://timtyler.org/ tim at tt1lock.org Remove lock to reply.
More information about the Python-list
mailing list