I've been seeing a lot of forums closed because of security loop holes recently, came across another this morning:

http://www.everyauction.info/forum/

Good to know E-Blah is safe.

Quoted from Martin

I've been seeing a lot of forums closed because of security loop holes recently, came across another this morning:

http://www.everyauction.info/forum/

Good to know E-Blah is safe.

hi Friends,

my Site did not get hacked (yet), but I found hundreds of attempts in my Logs.
According to my knowledge, just about any PHP-coded Software seems to be risky to use, at least when it comes to Database-related Operations.

Since I want to make sure, I don't use any PHP-Stuff on the Site mentioned above anymore, so I switched the (PHP-) Forum to another Server under it's own URL.

But still, you are never sure, so, better check Log's all the time, there is no better way to find out how secure your Site really is...

Good Luck to all

Ernie

Hope to see you switch to E-Blah.  

PHP forums CAN be bad if things aren't stripped (using mysql_real_escape_string).  Some older forums, especially phpBB, have that problem and have been compromised a lot.

Justin, Is there any short snappy reason why Perl is so secure? Or is it just the way you've used it that's made E-Blah so secure?  

Quoted from iCONICA

Is there any short snappy reason why Perl is so secure?

I figure I give my two cents to this:

Perl is actually not securer that any other way of programming, but Perl is much more transparent to understand and handle than PHP. It's in fact just a kind of good old Computer "Basic" + "regular HTML".

You don't really need Javascripting or anything else exept for plain HTML to create good Perl-Software. For the Visitor, his Browsers don't require to "open up" the Security just to see and/or use Sites with Perl/HTML.

Logically, most Fellows include some kinds of JavaScript Things (or even Shockwave..) into their Progs. One just should make sure not to use such "things", when real Security is counted on. But NEVER use I-Frames, and NEVER "allow" I-Frames, because this is the "one big hole for everything bad"...

Good Perl based Software has Data-Input, created in "User-Entry-Forms" or "Search-Routines"  filtered in order to allow only "clean" input into the System.
Other external hacking is practically not possible, because receiving forged commands, the progs usually reply simply by displaying default pages.

----

what makes PHP so insecure...?

Using PHP, Programmers usually install Options, so allowing Users to choose from a million things, most not even required. In addition to this, Add-On Contributors sometimes create poorly tested Code. PHP Scripts usually use one database, meaning, that almost every task done requires the DB to be opened, beeing read, possibly rewriten and properly closed again. Now, imagine, one wrong thing from one task at the wrong time, and there it was...

"Global Variables", b.ex. defining Passwords, Usernames, Program-Commands, etc., and used troughout the Scripts, have long been able to be manipulated externally, allowing Visitors to exploit, modify or destroy User Databases or break into the Server Software.

Since PHP is a kind of "active Scripting", similar to Javascript, all kinds of "things" can be done to PHP Software by misusing "User-Entry-Forms" and so upload "IFrame" or "Javascript" Hacking Progs quite easy.

----

I started test-using the eBlah Software just a couple of days ago, so I can't really say to much about it. From what I see, the Source Code looks great and up to today's requirements for a professionally built Forum-Script. Modifications can be made easy, as long as you basically understand how Perl & HTML work.

Looking at it, I think I've got some ideas how to proceed, whenever I (ever) think about desiging a brand-new auction-script...

Thank you Boys, your Forum Script is real great Stuff. Despite of a very few but nasty details I found so far. one of it is related to the Reg-Section. But I still have to test on this. I am also allowed a 8-charater Password only, it cut my longer password to this size, but I have not even checked all available options. It's just to much go go trough by "Fast-Train" as usual.

One thing: You should adapt your Installation Routine, if not to create, but at least to chmode the Scripts, Files and Subs automatically, I angrily almost deleted the Forum on the Server because of repeated " 500 - premature end of header" Infos instead of a Forum Page. Such could be made real easy, at least under Unix/Linux, as EA did since the "beginning of the time"...

Good luck to all
Ernie

Wow, I read all that, Thanks for the elaborate explanation.  

Quoted Text

I am also allowed a 8-character Password only, it cut my longer password to this size

You can enable MD5 encryption in the admin settings, that will allow longer more secure passwords... I think the perl crypt() DES 56-bit encryption is used as a "failsafe" rather than MD5 by default which i presume might not work on every server...

If you found some potential problems with the code though, I'm sure Justin would love to hear about that!  

Actually, PHP is more secure (if things such as magic_quotes, global variables, etc are turned off -- these are depreciated now, and are being removed in PHP 6, though) than Perl, as Perl is used via CGI, which is just an interface for the interpreter.  But that's a long story, and could probably be argued.  If you coded things incorrectly, you can do a lot of damage with Perl (things that aren't as easily done with PHP).  However, most servers should have enough security in place to where it won't matter.

I work full time with PHP in my day job.  It's incredibly easy to work with.  It's so much nicer to do a page in 10 lines of code that would have taken 25+ in Perl.  

Is that saying I'm leaving my Perl days?  Nope, but PHP as a language is much easier to work with.  I'm glad I didn't learn it first though, because Perl will be a valuable asset for some time and because it's taught me better programming practice over the years.  

Then why dont u create a PHP based forum instead of Perl. I tried one PHP and Text based forum and it was nice, http://www.myupb.com/news I hope using Elbah with PHP.