Salut, Philip,
On Tue, 26 Aug 2008 13:18:35 +0100, Philip wrote:
> I can see that most of the CMSs sit on top of php, and therefore are
> prone to php security flaws, but plone sits on top python instead, so
> isn't it just as vulnerable to python security flaws?
To some of them, yes. But due to the way Python is extended, these
usually don't occurr as easily. If you take Python web frameworks such
as for example Django, you will quickly realize that Python prevents
the user from doing various mistakes (cross site scripting, SQL
injection, etc.) which the user can easily make in PHP.
Also, PHP is usually extended in C code. While a lot of Python
extensions are written in modular Python extensions, building on top of
secure abstraction frameworks, PHP people have a tendency to implement
their extensions in C, where they live in one namespace with all other
extensions, as is reflected as well in the structure of the PHP
language itself. There is no String object, only a set of functions to
be applied to variables supposedly being strings.
Even the simplest elements of abstraction ? closures ? have been
introduced only very recently. Combine all of the above, add all the
various flaws of PHP itself (e.g. http://bugs.php.net/bug.php?id=38915)
and you will quickly realize that it is a hard problem to write halfway
secure code in PHP. This is one of the reasons why I would strongly
discourage newbies to start writing stuff in PHP. It is flat, but it is
not simple.
Another problem is the attitude of PHPians, but I won't detail into
that. Please see Stephan Esser's good bye message to the PHP security
team for details («It is impossible to improve the security of PHP from
the inside.»). There are also various other problems but I don't have
the time to go into that much detail.
> Is there something more intrinsically "secure" about python compared
> with php?
Let's put it like this: in Python, security is not virtual.
Tonnerre
Attachment:
signature.asc
Description: PGP signature