If you like PHP, use it at your own risk. Check out the following security alert. Here's a bit of text from the alert:

The way that PHP handles file uploads makes it simple to trick PHP applications into working on arbitrary files local to the server rather than files uploaded by the user. This will generally lead to a remote attacker being able to read any file on the server that can be read by the user the web server is running as, typically 'nobody'.

According to the alert, they don't know of any way to really fix this problem, short of a new version of PHP being rolled out.

Cheers,
Ovid

Update: First, thanks for pointing out how to protect against this vulnerability. I'm not trying to say that PHP is evil, just that there is a known issue with it (and I'm not claiming that there aren't issues with Perl).

Next, I can see people voting me down for making a rude post, but why vote me down for letting people know about security issues? I would presume that people would prefer to know about these things. If there is a fix, people won't bother to apply it if they don't know what about the original vulnerability is.

I will confess that I didn't follow the links, but in seeing them, I see bad security advice in one: check to verify that the file sizes are the same and reject them if they aren't. Fine, so all I need to do is keep sending files in increments of one byte until I get a hit. That's pretty simple to crack.

The other one -- verifying the filename -- is obvious and I wouldn't have realized it since I don't know PHP. However, I still let my original post stand. There is a security issue and "according to the alert", the author didn't know how to fix it. I still feel it's important to raise issues like this because people should be aware of them.

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.