[LA.pm] udp.pl

Benjamin J. Tilly ben_tilly at operamail.com
Mon Mar 7 16:40:42 PST 2005


"Terrence Brannon" <tbrannon at valueclick.com> wrote:
> 
> 
> 
> > -----Original Message-----
> > From: losangeles-pm-bounces at pm.org 
> > [mailto:losangeles-pm-bounces at pm.org] On Behalf Of Benjamin J. 
> > Tilly The result is that many PHP scripts have quality similar to 
> > what people used to complain about with Perl CGIs back in Matt 
> > Wright's heyday.
> 
> Is there any info on the security of modern
> CGI.pm versus mod_perl applications?

I have no concrete data.  However I'd strongly suspect that
the platform is less important here than what people are
trying to do and how good the programmers are.

For most basic applications, I'd suspect that the quality of
random free scripts remains about what it was.  (ie terrible)
There are, however, higher quality scripts available (see the
NMS project for some) for those who look.

In theory CGI.pm is going to be more secure than mod_perl.
CGI.pm avoids possible security holes due to stale data (which
might randomly crop up because people wrote "my $foo if $bar"
without realizing that it creates a sometimes static) and
introduces none of its own.

However in practice I'd guess that people writing mod_perl
usually know more than ones using CGI.pm so quality should be
higher.  Of course mod_perl people may be doing something more
complex (they're more likely to be using databases etc), so it
could work out either way.

And, as I said, I don't know of any concrete data on the topic.

Cheers,
Ben


More information about the Losangeles-pm mailing list