Comments on: Vulnerability affects PHP XML-RPC library http://www.sitepoint.com/blogs/2005/07/06/vulnerability-affects-php-xml-rpc-library/ News, opinion, and fresh thinking for web developers and designers. The official podcast of sitepoint.com. Mon, 23 Nov 2009 01:39:24 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Nico Edtinger http://www.sitepoint.com/blogs/2005/07/06/vulnerability-affects-php-xml-rpc-library/comment-page-1/#comment-2239 Nico Edtinger Tue, 30 Nov 1999 00:00:00 +0000 2080789859#comment-2239 <p>May I take the quote out of the article "Eval i dead" from February (!): Rasmus: "If eval() is the answer, you're almost certainly asking the wrong question."</p> <p>It's here: http://www.sitepoint.com/blog-post-view.php?id=238381</p> <p>So we already knew it before. And still they thought it would be easier to use eval() to decode. BTW both libs seem to come from the same code.</p> <p>The solution is simple. Don't use code that uses eval und code you don't know exactly. If a string is generated from user input you can never know what the string'll look like. Thus no one should use both libs as long as they only code around the problem instead of finding a replacment for the eval()</p> <p>b4n</p> May I take the quote out of the article “Eval i dead” from February (!): Rasmus: “If eval() is the answer, you’re almost certainly asking the wrong question.”

It’s here: http://www.sitepoint.com/blog-post-view.php?id=238381

So we already knew it before. And still they thought it would be easier to use eval() to decode. BTW both libs seem to come from the same code.

The solution is simple. Don’t use code that uses eval und code you don’t know exactly. If a string is generated from user input you can never know what the string’ll look like. Thus no one should use both libs as long as they only code around the problem instead of finding a replacment for the eval()

b4n

]]> By: DaisyChain http://www.sitepoint.com/blogs/2005/07/06/vulnerability-affects-php-xml-rpc-library/comment-page-1/#comment-2240 DaisyChain Tue, 30 Nov 1999 00:00:00 +0000 2080789859#comment-2240 <p>The new book sounds exiting!! When will it be released and are you able to say yet what topics its going to cover? I'm keen to start learning about pratical applications of XML.</p> The new book sounds exiting!! When will it be released and are you able to say yet what topics its going to cover? I’m keen to start learning about pratical applications of XML.

]]> By: Clenard http://www.sitepoint.com/blogs/2005/07/06/vulnerability-affects-php-xml-rpc-library/comment-page-1/#comment-2241 Clenard Tue, 30 Nov 1999 00:00:00 +0000 2080789859#comment-2241 <p>Looking forward to this new book!</p> Looking forward to this new book!

]]> By: Gaetano Giunta http://www.sitepoint.com/blogs/2005/07/06/vulnerability-affects-php-xml-rpc-library/comment-page-1/#comment-2242 Gaetano Giunta Tue, 30 Nov 1999 00:00:00 +0000 2080789859#comment-2242 <p>May I only point out that the code in question dates circa 1999, long before the php core team had even dreamed about 'register_blobals=BAD'.</p> <p>Everybody is tighter on security as of 2005.</p> <p>The only strange thing is nobody had ever found the breach before, given the wide exposure of the libs...</p> May I only point out that the code in question dates circa 1999, long before the php core team had even dreamed about ‘register_blobals=BAD’.

Everybody is tighter on security as of 2005.

The only strange thing is nobody had ever found the breach before, given the wide exposure of the libs…

]]>