RE: Languages/platforms used for Web apps. Any stats?

Its also possible to write insecure apps in any language that run just fine.


See the Hacme series for a shameless plug ;-) Coldfusion and PHP versions
coming in the next few months into the integrated Hacme Suite to prove the
point

 http://www.foundstone.com/resources/s3i_tools.htm

-----Original Message-----
From: Ben Sytko [mailto:bsytko@gmail.com] 
Sent: Saturday, June 25, 2005 11:06 AM
To: webappsec@securityfocus.com
Subject: Re: Languages/platforms used for Web apps. Any stats?

One of the problems here also, its that its possible with PHP to make
insecure programs that run just fine. You can code away for days with
seemingly great working program, but if you don't take the precautions to
prevent attacks, its a recipe for disaster. As others have said, its about
knowing where the security risks are, and taking the steps to prevent them.
Using htmlentities() is a good step to help prevent XSS, and being sure to
turn off register_globals helps as well.

And Andrew, in PHP5, there is a new error flag, E_STRICT, which throws
warnings when you use deprecated functions. See:

http://us2.php.net/manual/en/ref.errorfunc.php#errorfunc.constants

-Ben