[nycphp-talk] "The Web is broken and it's all your fault."
ramons at gmx.net
Fri Sep 15 12:04:01 EDT 2006
At 09:40 AM 9/15/2006, you wrote:
>First, get rid of this stuff ... $_GET['badstuff'] and all incoming
>defined variables period. As long as it exists in the language
>people will complain about security ... Im suprised there is no fork
>of PHP to form a SecurePHP variant that takes this out or has strong
>wrappers for it (see 3).
I am not entirely clear what you criticise. Is it the GET or that fact that
subitted values from an HTML form get piped into an array that carries
always the same name ($_GET or $_POST) or the fact that it gets stuffed
into an array altogether?
I think one can create code to secure PHP scripts, so it is not that it is
impossible (maybe it is), it is just that it is hard work and doesn't show
anything pretty in the browser window.
More information about the talk