Re: Security - Perl or PHP?

Security is mostly independent of the actual language. From time to time, there might be vulerabilities in the underlieing language interpreter, but I think it would be hard to make an objective comparison between Perl and PHP that way. In either case, the most common source of security problems by far will be in the code being executed, not the interpreter. That means your security will be almost entirely dependent on your programmers.

Note that in mod_perl, you have access to the underlieing Apache API, which mod_php does not provide. This increases the risk of bad code producing a security problem. However, this doesn't mean Perl/mod_perl is insecure; it only means that there is even more burden on your programmers to do a good job.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

:(){ :|:&};:

Note: All code is untested, unless otherwise stated

Comment on Re: Security - Perl or PHP? Download Code

Replies are listed 'Best First'.
Re: Re: Security - Perl or PHP? by Jenda (Abbot) on Oct 19, 2003 at 18:15 UTC
Agreed completely. Most programmers do not give a damn to security and most books do not stress (or even at least mention) it enough. :-( `<div mode="Oh well">`We (Prague office of Monster Worldwide) are currently hiring and give the potential employees a test (in ASP or ASP.Net since that's what most of the development is done in :-( A simple form to be validated and submited into a database. None of the ones using ASP ever escaped the data printed into `<input type="text" name="..." value="HERE">` when redisplaying the form in case of a validation error, 80% of them insert the data into database by building an INSERT SQL statement containing the form data and none of those cared to escape the data. And at the same time most of them have (according to their CVs) several years of experience with web programming :-(`</div>` Jenda Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live. -- Rick Osborne Edit by castaway: Closed small tag in signature	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Security - Perl or PHP?
by Jenda (Abbot) on Oct 19, 2003 at 18:15 UTC

Agreed completely. Most programmers do not give a damn to security and most books do not stress (or even at least mention) it enough. :-(

<div mode="Oh well">We (Prague office of Monster Worldwide) are currently hiring and give the potential employees a test (in ASP or ASP.Net since that's what most of the development is done in :-(
A simple form to be validated and submited into a database. None of the ones using ASP ever escaped the data printed into <input type="text" name="..." value="HERE"> when redisplaying the form in case of a validation error, 80% of them insert the data into database by building an INSERT SQL statement containing the form data and none of those cared to escape the data.

And at the same time most of them have (according to their CVs) several years of experience with web programming :-(</div>

Jenda
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
-- Rick Osborne

Edit by castaway: Closed small tag in signature

[reply]
[d/l]
[select]