NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts?

Hans Zaunere lists at zaunere.com
Mon Sep 12 13:31:32 EDT 2005 


csnyder scribbled on Monday, September 12, 2005 11:07 AM:
> On 9/12/05, Chris Shiflett wrote:
> 
> > With such a list, you can pretty much do whatever you please - you
> > can even try injecting content into each variable name as a variety
> > of types - GET data, POST data, cookies, etc.
> > 
> > So, as developers, we must necessarily give away a lot of
> > information about our applications. This makes our job even harder.

It's the nature of the beast and shouldn't be feared - a good Internet
developer should always assume that their application will be exposed to
unexpected circumstances.  And especially in a web environment, it should
always be assumed that the most common of the unexpected circumstances will
be direct/raw access to the application, ie, not using a browser.

> The web is the most insecure environment ever invented for
> applications. Your entire *public* interface is transparently exposed
> to any and all attackers, both human and scripted, 24x7 worldwide.
> 
> Spam bots like the one described in this thread are just the
> beginning, I think. Sorry for the fear-mongering, what can PHP do to
> protect us?

I'm not sure it's PHP's responsibility.  Is it C's responsibility that you
don't overstep memory bounds?  Sure, some will argue that it is, and while
this is more a matter of opinion, I'm of the school that a language should
provide the tools, and let the developer be responsible for the
implementation.  Many times, these tools should be available as a library,
rather than the language itself.  From past PHP features - like magic quotes
and register globals - I think we've seen that language supplied convenience
can be more of a hindrance, than an aid.  There's a fine line between the
language itself doing something, and the library that does something (thus
the moving of many PHP extensions from the core language into PECL).

A web developer has to understand that their application isn't subject to
access solely through a browser.  Countless times I've seen lights go off in
people's heads when I've asked "what would happen if I telnet into your web
server and start sending HTTP crafted headers?"  The lights are often
followed by open eyes and then intense code work :)


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com

More information about the talk mailing list