[Info-vax] OS implementation languages

Arne Vajhøj arne at vajhoej.dk
Sat Sep 9 13:25:03 EDT 2023 

On 9/9/2023 12:53 PM, bill wrote:
> On 9/9/2023 12:14 PM, Arne Vajhøj wrote:
>> On 9/9/2023 11:45 AM, bill wrote:
>>> On 9/9/2023 11:19 AM, Arne Vajhøj wrote:
>>>> On 9/8/2023 6:59 PM, bill wrote:
>>>>> On 9/8/2023 2:05 PM, Simon Clubley wrote:
>>>>>> Unfortunately, I _do_ have to use PHP sometimes.
>>>>>>
>>>>>> It didn't take me long to establish some solid rules, such as strict
>>>>>> comparisons at _all_ times, and to use a monitor library I wrote that
>>>>>> has the allowed error level turned all the way down so that things
>>>>>> which PHP normally allows through generate an error instead.
>>>>>
>>>>> I had to support it at the University because we had a professor
>>>>> who insisted on teaching it, using it and making his students use
>>>>> it.  No matter how many time I showed him the security holes he
>>>>> just insisted I was wrong and that it be available  and wide open.
>>>>
>>>> Maybe he had this crazy idea that programming code
>>>> read input, does some processing and write output and that
>>>> the main responsibility for correctness, security, performance
>>>> and whatever belongs with the person writing the code.
>>>>
>>>> :-)
>>>
>>> Nice thought, but the particular problem I was fighting was
>>> inherent to PHP and the programmer can only stop it by using
>>> a better tool.
>>
>> You are aware that PHP is Turing complete?
> 
> Which means what in the concept of security?  It has nothing
> to do with the syntax or even the function of the programs
> written with it.

It means that you did not have to rewrite in another language to
fix the problem.

>                   The problem resides in the PHP interpreter
> and the programmer has no control over it.  If certain features
> are turned on, PHP can be coerced to execute arbitrary commands
> on the machine running the web server that is supporting PHP.

Code and programming languages and not magic that does
something by itself.

The programmer write code to do certain things and may also configure
compiler or interpreter to handle some things a certain way and
then the code does it.

PHP receive input from the user in $_GET, $_POST etc. and the
PHP code can treat that proper or not so proper. PHP has a number
of functions to handle untrusted input.

Arne

More information about the Info-vax mailing list