Re: [tlug] Do you whitelist or blacklist utf-8?

[Nikolay Elenkov <nick@example.com>]

On 02/24/2011 05:43 PM, Darren Cook wrote:
> > And, yeah, for better security, don't use PHP :)
>
> Do you have any evidence to support that statement?

You've probably already seen the other replies, but the
number of PHP vulnerabilities was overwhelming a few years back.
I don't really follow any more, so maybe things have gotten better over 
time, but I kind of doubt i.
> Security always seems, to me, to be dominated by the programmer's
> understanding of security issues; language features are quite minor.
> I.e. the same programmer will write safe or dangerous code whichever
> language he uses.

I am pretty sure you could write a perfectly safe 30 000 line CGI in C, 
if you know what you are doing. But it's hard, and it's easier to make 
mistakes when you are dealing with low level code. The lower the level, 
the more code you have to write, the greater the chance of 
bugs/vulnerabilities, etc.

> (As far as I know, PHP has all the required functions for writing safe
> code, such as htmlspecialchars(), urlencode(), strip_tags(),
> filter_var(), regexes, etc.)

PHP makes it easy to deal with Web input/output, and because of this a 
lot of people don't use any higher level frameworks, just the (fairly 
low level) native PHP functions. It's hard to cover all the bases with 
those even if you know what you are doing, and most people starting off 
with PHP don't.