[nycphp-talk] PHP-related book comments
John Lacey
jlacey at att.net
Tue Jul 13 15:05:49 EDT 2004
In preparation to writing two security courses -- a security survey and
a security tools course, the usual suspects of the latest reference
books were purchased, as well as knoppix STD. btw, my area of
expertise has primarily been in LAN/WAN networking, TCP/IP and routing
protocols, and forensics. One book that I hadn't seen before is
"Exploiting Software: How to Break Code" by Greg Hoglund and Gary
McGraw. Overall, it's not a bad book for the most part. It was
published Feb. 2004.
One small section that I took issue with and am about to write the
authors about is their characterization of PHP. I quote:
from page 190:
"In many cases, software may come preset with various parameters set by
default. In many cases, the default values are set with no regard for
security..." The authors go on to mention PHP global variables and
characterizes PHP as "In seriously broken languages like PHP, a number
of default configurations are poorly set."
First, the authors apparently don't know anything about PHP 4.2.0 which,
I believe, was released over 2 years ago. Ironically, their next
paragraph begins with "In the interest of convenience (laziness?), some
programmers..."
Seems the authors were too lazy to check their facts. It makes me
wonder if they've even bothered to research their subject to find a file
called php.ini-recommended.
Further down the page is this paragraph:
"PHP is a study in bad security." I believe that if the authors had
said something like "phpBB is a study in bad security" they might have
stated the problem correctly.
So, before I send an email to these guys, is there anything else I
should point out?
John
More information about the talk
mailing list