PHP versus CGI
Brian Yennie
briany at qldlearning.com
Tue Feb 17 19:07:09 EST 2004
I think the mitigating factor here that's being missed somewhat
(although many of the point raised are valid), is that all of these
setups are mostly dependent on a properly-configured webserver.
If you configure things in a secure fashion, someone can write the most
malicious of CGIs and it won't be able to do anything. It'll run under
a user that doesn't have write access to anywhere secure, and even if
it purposefully crashes itself, it'll just go away and end up making
the webserver return an error page. MetaCard can't write to disk if the
user that launched the application can't.
Bad configurations make modules and CGIs both a potential hazard, good
configurations make it nearly impossible to do any harm with either.
Well, unless you are on a Microsoft platform...
- Brian
More information about the metacard
mailing list