On Thu, Mar 1, 2012 at 4:18 PM, John Crenshaw <[email protected]> wrote:
> No, you've misunderstood. The average new not-really-a-developer has no concept of
> security. Every SQL query they write is vulnerable to injection. Every echo exposes their site to
> XSS vulnerabilities. Every form is vulnerable to CSRF. If they did anything with files in their
> script I may be able to read arbitrary files to their server and/or upload and execute arbitrary
> scripts. If they used eval() or system() I can probably execute arbitrary shell code and take
> control of the entire site. If their server is badly configured I could capture the entire machine.
>
PHP is as vulnerable as you make it,
> This isn't a question of keeping software updated and not using deprecated functions, this
> is a question of discipline that is completely missing among the "unwashed masses" as you
> call them. The intuitive way to handle many of the most common PHP tasks is also the completely
> insecure way. Philosophically, I wonder if we do a great disservice by encouraging these people to
> tinker with code at all. We do so knowing (or at least we should know) that anything they create
> will inevitably be hacked. We fuel the widespread security problems that currently plague the web.
>
> John Crenshaw
> Priacta, Inc.