Php why must your apps suck so?

Toshio Kuratomi a.badger at gmail.com
Wed Oct 24 22:38:05 UTC 2007


Paulo Santos wrote:
> Drupal + SELinux + mod_security ?!
> 
It looks like the combination of SELinux and mod_security will cover the 
   range of exploits as long as we have policy that covers all the 
approaches in both SELinux and mod_security.  I have some misgivings 
about running software that I know is going to need third party tools to 
  enforce security rather than having the extra checks be part of 
defense in depth but it seems that that would work.

And in answer to the subject, "Php why must your apps suck so?" the 
unfortunate answer is that it's built into the language.  <?php $USERVAR 
?> and <?php echo $USERVER ?> are inherently bad because they don't html 
escape $USERVAR yet it is the method used by practically all php code to 
output variables to the page.

Many Python web frameworks address this issue in the framework by 
automatically html escaping any variable which is displayed in the 
template.  Notably, kid and genshi (the template languages we're using 
for our TG deployments) work this way.  PHP, on the other hand, makes 
constant vigilance necessary.

-Toshio




More information about the infrastructure mailing list