Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Are Perl or PHP scripts easier to secure?

by belize (Deacon)
on Oct 15, 2003 at 16:25 UTC ( #299458=perlquestion: print w/ replies, xml ) Need Help??
belize has asked for the wisdom of the Perl Monks concerning the following question:

We have just experienced the nightmare that comes with using an unsecure form mailer script. Three of our domains had to be shut down due to massive SPAM returns and overload of SMTP servers.

We are now in the process of rewriting our Perl scripts using the downloads from NMS.

A quick question that might get me a bunch of negative votes, but what the hell...is it easier to secure email from a form using PERL or PHP? Please, this is not a PERL vs PHP, which is better, only which is easiest to secure.

20031015 Edit by jeffa: Changed title from 'Our form mailer script just got nailed'

Comment on Are Perl or PHP scripts easier to secure?
Re: Are Perl or PHP scripts easier to secure?
by Abigail-II (Bishop) on Oct 15, 2003 at 16:35 UTC
    The script isn't insecure because it was written in Perl. The script was insecure because it blindly accepted user input as the recipient. It's as easy to make this mistake in Perl as it is in PHP, Java or C.

    The mistake was made before the language it was written in became significant.

    Abigail

Re: Are Perl or PHP scripts easier to secure?
by erasei (Pilgrim) on Oct 15, 2003 at 17:01 UTC
    While writing a script to do the same thing from scratch might be good practice, I don't think it is totally necessary in this case. In this case of the form mailer script it accepts the 'To:' from the post. In most form mailer scripts the email is always going to be sent to the same person. It would be easier to just change the script to hard code the To: field.

    Also, you might want to rename the script so that crawlers don't find it as easily. Don't rely on this to keep you safe by any means, but at least you won't get DOSed by spammers trying (in vain) to send email through your new secured version of that script.

      Are you saying that hard coding the To: field would solve most of the problem with SPAMMERS using the script to access the SMTP server on the site?
        Yes. The way the spammers are hijacking your script is by sending their own To: field (the person being spammed) and their own Body: field (the spam itself).

        If you hard code the To: field, the spammer won't be able to send email to anyone other than the person hard coded already. That defeats the purpose for them, and they won't use it.

Re: Are Perl or PHP scripts easier to secure?
by jdtoronto (Prior) on Oct 15, 2003 at 17:29 UTC
    Security is a programming feature, not a language feature.

    Perl may have some features that make it easier to secure, but if you ignore them (as formmail.pl did) then you have a problem. The NMS version of formmail is only one of the secured versions of this script.

    jdtoronto

Re: Are Perl or PHP scripts easier to secure?
by mandog (Curate) on Oct 15, 2003 at 22:59 UTC

    We went with Perl over PHP some time ago. We knew Perl better than PHP (and here was no PHP Monks). We felt that it would be easier to secure Perl CGI scripts than PHP handlers because we knew how to navigate the relivant docs better.

    As other Monks have pointed out, security isn't entirely a function of the language. You can run suexec for php cgi scripts as well as you can perl ones.

Re: Are Perl or PHP scripts easier to secure?
by moxliukas (Curate) on Oct 16, 2003 at 06:32 UTC

    While it is true that the security of the script is determined not by the language but by the programmer, I would argue that it is easier to write secure scripts in Perl, because it has neccessary features to make this task easier.

    Contrasting Perl to PHP, there is a wholly different culture of coding. PHP used to do everything with global variables (ok, not anymore, but I still see a lot of PHP scripts written with globals=On). PHP does a lot for you so that it would not get in the way for you when you are creating webpages. I am not saying that PHP developes don't know what they are doing, but PHP seems to attract developers who like easy no-thrills programming of small web applications and don't always think about security.

    Perl at least has the features like taint mode that helps with security a lot. I think if one chooses to ignore these security features then he better know what he is doing. Although is easy to ignore the security features and write insecure scripts in Perl, at least there are tools available for writting secure ones.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://299458]
Approved by Ovid
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (10)
As of 2014-09-17 11:17 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (72 votes), past polls