In "A Note on Security In PHP" (partly in reference to a security flaw
that exists or recently did exist in phpBB) at
http://nl3.php.net/security-note.php
The PHP Group makes this claim:
"Every remote exploit can be avoided with very careful input validation."
This is very reassuring, if it is true, and it gives much to be said in
favor of implementing PHP in applications that accept remote user input.
But is it true?
One rarely sees an unqualified claim that any mechanism can provide
protection against every exploit, of any kind.
I wonder whether anyone who as read this Note on Security in PHP has
good reason to doubt this categorical claim over the capacity of
well-implemented input validation (using PHP) to "avoid every remote
exploit..."
I'm interested in any expressed view, supporting or refuting this claim.
- Jake Lloyd