Monday, April 25, 2005

Scripting and Security

Yes, this blog has been down for most of last week. The reason: our server had been hacked and we were closing the breaches that have been used by the hackers. Among those, were security bugs in both WordPress and AWStat. Those two applications are written with the two most popular scripting languages: PHP and Perl. And this might not be a coincidence. It is certainly possible to write perfectly secure applications with both languages, but they inherently do not encourage security. For instance:

  • By default, the value of non-initialized global variable can be set by the user in PHP.
  • User data needs to be explicitly escaped before it is sent to a database, as user data is in general inserted in SQL statement using string concatenations.

Those two problems, as well as many others do not occur with compiled languages, like Java. On the other side, PHP and Perl provide a faster development experience than Java (modify the source, reload the page, and see the result), as no code compilation is required. One is tempted to say that this is one of those cases where you can't have your cake and eat it too. Not true: you can have both the robustness of the Java platform and the fast development cycle of PHP and Perl with XML technologies: XForms to capture data from the end-user and languages like XPL, XSLT, and XQuery.

No comments:

Post a Comment