From owner-freebsd-questions@FreeBSD.ORG Wed Dec 8 00:58:00 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21BD6106564A for ; Wed, 8 Dec 2010 00:58:00 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout028.mac.com (asmtpout028.mac.com [17.148.16.103]) by mx1.freebsd.org (Postfix) with ESMTP id 0D97D8FC16 for ; Wed, 8 Dec 2010 00:57:59 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp028.mac.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 64bit)) with ESMTPSA id <0LD300IC5403YY80@asmtp028.mac.com> for freebsd-questions@freebsd.org; Tue, 07 Dec 2010 16:57:39 -0800 (PST) From: Chuck Swiger In-reply-to: <4CFED0D4.3090108@herveybayaustralia.com.au> Date: Tue, 07 Dec 2010 16:57:39 -0800 Message-id: References: <3374599093-437630056@intranet.com.mx> <4CFED0D4.3090108@herveybayaustralia.com.au> To: Da Rock X-Mailer: Apple Mail (2.1082) Cc: freebsd-questions@freebsd.org Subject: Re: Shopping cart other than OSCommerce? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2010 00:58:00 -0000 On Dec 7, 2010, at 4:27 PM, Da Rock wrote: > One to point out the obvious, and two to clarify your view here: why not php? Php was the scripting used, but if used poorly will create a security risk in the web app. That means that the vulnerability is the coder's problem; not php itself. God knows how many references there are to what not to do for security reasons on the php site. > > Vulnerabilities due to bad coding is not the fault of the language used, otherwise we wouldn't be using c, c++, etc. > > I ask because I'm coding web apps in php myself, and I'm curious to know if my view is in error... I would disagree and argue that vulnerabilities due to bad coding often reflect flaws in the language being used. For example, a vast range of buffer overflows, null pointer dereference issues, etc are entirely a consequence of C-based languages which permit arbitrary pointer arithmetic. Tools like valgrind and Purify were later created to help add runtime array and memory buffer bounds-checking to C/C++ which other languages (Java, Python, etc) already provide by raising an "index out of range" exception or similar. As for PHP and security, well, when someone ends up getting married to three abusive drunks in a row, there is more going on with that then random chance or even bad luck. I've got an archive of a couple of years worth of list traffic from full-disclosure & bugtraq@securityfocus, and nearly a third of the messages involve PHP or software written in PHP. That's about twice as many as the next largest category, which is vulnerabilities in Windows (including stuff like Adobe Flash/Reader). Regards, -- -Chuck