I has written a small application in php.When i was presenting it to a one so called expert he said that "your application is really vunerable now or of no use as php4 itself has bugs or security holes"
is that true
what kind of security holes are there
i find except some function php4 and php5 almost same if i done use oop
whats fact
should we stop using php4
whats the fact?
Does php4 has holes
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
One can make that general level statement about almost any piece of software, as there are likely holes under certain circumstances.
Whether those holes are in the software itself or created via the product built from it depends on the specifics. Since your post doesn't go into specifics, I don't know how much confirmation we can give you.
There were a few security holes in older versions of PHP 4 and there are some potential vulnerabilities in various components of the system. If you want to know more, check the hardended PHP project and Chris Shiflett's site.
Whether those holes are in the software itself or created via the product built from it depends on the specifics. Since your post doesn't go into specifics, I don't know how much confirmation we can give you.
There were a few security holes in older versions of PHP 4 and there are some potential vulnerabilities in various components of the system. If you want to know more, check the hardended PHP project and Chris Shiflett's site.
thats means as i general user if i make a site using all own's general skills not going through each and every updates of php ,then my site will be easily hacked by the even some advanced user of php..
is that ,what it means...
ok high level security its ok ...but i am concerned about holes in langauge it self which is known by any one ,may be some 1 year old user of php...
that way there is no use of making any site and fusing lots of time and effort ..
isn't it...?
should we stop using php 4..?
is that ,what it means...
ok high level security its ok ...but i am concerned about holes in langauge it self which is known by any one ,may be some 1 year old user of php...
that way there is no use of making any site and fusing lots of time and effort ..
isn't it...?
should we stop using php 4..?
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Sorry, for the most part, I'm having a tough time deciphering what you're saying.
As for whether we should stop using PHP 4.. while I'm an advocate for using PHP 5 (for various reasons) I cannot say definitively that people should stop using PHP 4. Given that it is still in development I have no problem with it, on the whole. The problem I have with its use is that hosts often trail quite a ways behind the releases of newer versions. That problem is on hosts, not developers.
As for whether we should stop using PHP 4.. while I'm an advocate for using PHP 5 (for various reasons) I cannot say definitively that people should stop using PHP 4. Given that it is still in development I have no problem with it, on the whole. The problem I have with its use is that hosts often trail quite a ways behind the releases of newer versions. That problem is on hosts, not developers.
i was trying to say
from your saying php4 itself is not crackproof and ( php4) language itself provides many ways for crackers to crack sites...
is that it?
by the what are potential area of security headache
i found web defacing...
normally solved though not taking html specail codes..
second sql/web injection
some what solved through taking data validating it
what others ....
i think that global variable off/on are more concerned about server's security people rather than simple programmer ..in shared host ..isn't it?
by the way please dont show me way to some security posts...i have read many of them and all in all they tend to say these (url injection...web defacing) but they present it in different way..
so i want to discuss it here
thanks
from your saying php4 itself is not crackproof and ( php4) language itself provides many ways for crackers to crack sites...
is that it?
by the what are potential area of security headache
i found web defacing...
normally solved though not taking html specail codes..
second sql/web injection
some what solved through taking data validating it
what others ....
i think that global variable off/on are more concerned about server's security people rather than simple programmer ..in shared host ..isn't it?
by the way please dont show me way to some security posts...i have read many of them and all in all they tend to say these (url injection...web defacing) but they present it in different way..
so i want to discuss it here
thanks
There is no perfect security
So your so called expert is always right whith every project 
I guess its true PHP got some security holes but this is because its just not possible to write bugfree and exploitfree Software if a project grows to a certain Size.
But u won't find a a totally secure Web Programming language.
Java .. not really a web programming language.
perl .. same as whith php just not perfect
Flash ..lol
javascript .. megalol
asp .... *censored*
c.. ok, u can do it but still not perfect
The only thing someone who offers such a Language can do is to fix all bugs as soon as possible and as far as i know the time for php bugfixes is pretty fast for a big company.
Most security holes are just produced by the web programmer that uses the language or by hosters that won't update their servers.(or use a bad configuration)
So chose your host carefully , maybe pick one that offers HardenedPHP, learn how to make your scripts secure and keep up whith latest security issues.
Then PHP is a pretty secure solution.
I guess its true PHP got some security holes but this is because its just not possible to write bugfree and exploitfree Software if a project grows to a certain Size.
But u won't find a a totally secure Web Programming language.
Java .. not really a web programming language.
perl .. same as whith php just not perfect
Flash ..lol
javascript .. megalol
asp .... *censored*
c.. ok, u can do it but still not perfect
The only thing someone who offers such a Language can do is to fix all bugs as soon as possible and as far as i know the time for php bugfixes is pretty fast for a big company.
Most security holes are just produced by the web programmer that uses the language or by hosters that won't update their servers.(or use a bad configuration)
So chose your host carefully , maybe pick one that offers HardenedPHP, learn how to make your scripts secure and keep up whith latest security issues.
Then PHP is a pretty secure solution.