When you need to create a login page using PHP and MySQL, the safety of this login page relies on
- Your PHP scripting abilities
- How well and securely has PHP been programmed in C++.
- How well C++ compiler of interpreter of PHP has been programmed.
- How well and securely has MySQL been programmed.
- How well and securely has interpreter of SQL been programmed.
- The safety of libraries on machine that Apache/MySQL rely on.
- The safety of integrity of machine (operating system).

When you need to create a C# console application, the safety of this application relies on
- Your C# programming abilities
- How well and securely C# .NET compiler has been programmed.
- The safety of libraries on machine.
- The safety of integrity of machine (operating system).

Those were all examples, maybe list is not full, or something isn't supposed to be there, but this is just to give you concept and show you my point of view. Now comes the question:

When you need to create a C++ console application, the safety of this application relies on:
- Your C++ programming abilities
- How well and securely C++ compiler has been programmed.
- The safety of integrity of machine (not, because C++ is translated to Assembly and isn't a code that needs to be interpreted by another interpreter).
- The safety of libraries on machine (very often not, if you use standard C++ libraries which have been heavily checked for any bugs, or you write ones of your own)

Now the question: About which security layers should I be worried about while programming? Is there something that should be added or removed, to or from the list above of C++? Or maybe I'm wrong. Could someone explain me a bit more? Is there anything I should be worried about? Or is the safety of compiler and my programming skills (I have none, but I try my best) everything to assure my program safety? I know that time goes on and the holes in software are found more frequently. But is the safety of compiler and good programming, enough for now? For like, 6 months?

Edited 1 Year Ago by Aeonix

  1. All of them.
  2. See #1

Yes, PhP is programmed primarily in C++. Have you looked at the code? It is not trivial, and there are security issues there, I'm sure. I have delved into it to some extent in order to fix some HTTP bugs, and it wasn't fun!

In any case, these questions are at a Masters or PhD level of investigation/research. None are trivial, and require deep understanding of the source code for each system, such as MySQL. Also, WHICH version of MySQL? Which version of PHP? Which libraries that are used by Apache and MySQL?

I'm sorry, but I don't know how to interpret your answer. What do you mean by "1. All of them"? If you mean that I got them all wrong, as I already mentioned it was purely for giving you idea of what I meant.

By PHP, being defended by people "at a Masters or PhD level of investigation/research", but still, if you want to attack website based on PHP, there's many more potential security holes in every layer of software that supports it, than an Assembly program.

That's why I was wondering, about how many layers could have potential holes in them when programming a... program (Sherlock strikes again) in C++.

Sometime ago I've heard of null-byte exploit, which allowed you to call myimage.jpgx00.php file on server, this is Apache issue but through PHP commands. I mean such holes. I can't really explain this, I really hoped that the examples and the final "showcase" would make it clear.

All the best security flaws are implemented with the best of intentions.

Tomorrow, your C# stack could blow up because a major vulnerability in .NET surfaces. Likewise, the years and years of unstructured code that is poured in from the open source community to manage and update PHP is bound to have loop-holes. Windows gets patched regularly for all their security updates, and Linux kernals are just as open to problems.

Your question comes down to this:

As Im walking down the street, which do I need to be more worried about?
A brick falling on my head and killing me?
The sidewalk giving way and I fall into a sink hole and killing me?
Someone robbing me and then killing me?
A heart attack, with no help, thus killing me?

The reality is - you can't ever really know until that crap happens. Code defensively to be pro-active, and keep up to date on latest threat vectors. You alone will likely never be able to manage all the possible attacks and vulnerabilities available to attack a web platform. You can mitigate much of it, though, and that comes with learning best practices, and thinking about what the most nefarious of users will do to destroy your system.

There are also a number of tools available to automate attack vectors and see if you have any insecurities. On top of that, you can write your own tools to verify you are not having an issue with a particular problem or known attack (heck, there are people who dedicate their lives to figuring out new attacks you never think of!)

As rubberman said - you need to be concerned with every form of attack or intrusion. Just because you have the most secure code in the world doesn't mean you can't be attacked by someone with access to the physical machine, or the OS having an exploit that you can (and should) protect yourself from. Putting all your eggs in a single "security" basket is asking for trouble.

This question has already been answered. Start a new discussion instead.