August 6th, 2004, 12:25 AM
safest scripting language?
Which scripting language is the safest when writing scripts to be run on a web server?(Most of the scripts would be plan form processors).I can use Perl/Php and I think I can also use C/C++ scripts.What is your opinion?
August 6th, 2004, 05:43 AM
I cant just choose any of them. Or distinguish. They all have their own weaknesses, either as a programming language or a cgi script. They all have security issues. Here much depends on YOUR security skills. Whichever of them u choose, you have to learn its security issues deep, flaws of it as a publicly accessable server side cgi script, etc.
As a tip for the beginning I will say that the main problem with cgi-scripts security is user inputs. It has to be validated, checked almost everytime, removed the non important characters, or better to set a character set that are only acceptable.
Dunno if I could help much. Perl and php are better and surely faster for a cgi script than C or most other compiled languages that can be used as a cgi language.
If one day cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.
August 6th, 2004, 07:42 AM
You mean from a script author perspective, or from a web-manager perspective?
I would agree that input validation is almost everything right there. Personally I find perl to be the easiest language for input validation, probably because I just know it's regular expression forms better than I do for any PHP equivalents.
C/C++ scripting on a web server with compiled CGI? I wouldn't bother writing those. About the only bonus would be nobody can use a source-showing vulnerability to find vulnerabilities within the script itself. But neither can you, and you might need recompilation if you change platforms...
[HvC]Terr: L33T Technical Proficiency
August 6th, 2004, 07:59 AM
Any language written securely would protect you from most harm. Just know the language you like the most. Also, do a search for secure scripting of the language you like.
Just like Terr wrote, validate, validate, validate. Thats the most important. There is more than that, but you should learn some things on your own. From what you have wrote before, and the responses given, you should already know what to do.
I believe in making the world safe for our children, but not our children’s children, because I don’t think children should be having sex. -- Jack Handey
August 6th, 2004, 08:31 AM
I'll throw C/C++ out since it is a pain in the butt to use it for compiled CGI. You have the common issues with C/C++, and since in the very end you're just outputting HTML, there isn't very much point in using it when other things will get the job done just as good, and make it much easier on your part. In most cases, your C/C++ CGI script won't be able to use a database in a way that is easy to maintain, so it is just too much trouble.
If I had to choose between PERL and PHP, I'd choose PHP over PERL any day. It isn't a choice that is deeply security-related - although it is considered, but functionality is the biggest reason.
PERL requires you to declare the location to the PERL interperter. You get to pass arguments to the interperter. The person maintaining the server doesn't have the greatest control (they can set restrictions) over what you tell the PERL interpeter to do, and that can cause problems if you write code that depends on certain obscene settings in arguments to the interpeter.
PHP is set up in the webserver's config and is easy for a server admin to manage. And PHP gives you access to stuff like MySQL. It lacks some of the super-easy looping in PERL, but the fact that you can combine PHP and HTML in a PHP file more than makes up for that in my mind. I can choose to execute code only at certain places in the page where it is needed, instead of executing code to display the entire page. This makes it much easier to manage. Have you ever seen PERL programs with gigantic files dedicated to declaring string variables to set up the "looks" of a page? *shiver* PHP rules in that you get to have the HTML outline everything, and then you put PHP where you want it. Infinately easier.
Of course you should take some time to learn about making input safe, and not trusting it. Learning how to use mySQL commands in PHP is important too, otherwise you could have SQL injection problems. Anyways, there are tons of resources online, and I suggest you choose PHP.
August 6th, 2004, 10:33 AM
Anything can be safe, but you need to take proper precautions in any case.
Escape everything you output (unless there is some really special unusual case where it doesn't need to be escaped). Generally speaking, any output of user-specified values without escaping will lead to XSS vulnerabilities, so you shouldn't allow it (except perhaps by the administrator, who you assume is trustworthy)
Escape everything you put into a database. Make sure all things which are supposed to be integers, really are (Weakly typed languages only of course, strongly typed languages will enforce this). Validate reasonable values. Check user input for correctness, even if normally the user has no control over it (hidden fields, drop-downs etc) - they could manipulate the client-side environment.
Ideally use a database abstraction layer which automatically handles string escaping, then you don't need to worry so much about it.
August 6th, 2004, 02:33 PM
I like PHP. Easy and powerfull. And use to have good support and "reaction" when holes appear.
But all you mentioned are good. Its a matter of preference as programmer.
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
August 6th, 2004, 02:44 PM
I personaly prefer php over perl for use on webservers..
php was designed to be used for the web..
perl was designed as an extraction and report language..
Cgi usualy has a slower startup time over php and perl ( modperl that is, not perl as a cgi )..
Also.. cgi is a no-go for most server admins..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
August 6th, 2004, 03:17 PM
I'm a fan of php as well, but I think the real issue here is if you are using a database or not. Check out these functions in php:
Those will help you keep user input clean. Otherwise you might see some injections or XSS.
August 6th, 2004, 05:59 PM
I personally prefer PHP over Perl. The reasons: it's fast, it's easy to use when you need a database (be it MySQL or Postgresql), classes are easy to make in PHP (I use a PHP Class when accessing a database), sockets are a breeze in PHP (I think), and it's easy for a beginner to learn (I think). One reason I think PHP is easy for me, though, is because its syntax is similar with C/C++, and I program in C/C++.