 |
Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.
Dedicated server web hosting provided by Guru-host.eu. |
| View previous topic :: View next topic |
| Author |
Message |
Seregwethrin
Smarty n00b
Joined: 17 Nov 2006
Posts: 3
|
 Posted: Tue Jul 10, 2012 1:05 am Post subject: Is Smarty secure? |
 |
|
Hi,
We started to develop a software and we made a decision of not using 3rd party libraries, frameworks or plugins as much as we can, because of having a more secure application.
I love smarty and I want to use it. But I need to give some arguments to my friends about Smarty, and why we can trust it.
What can I say about this? What makes Smarty Secure than any other framework? |
|
| Back to top |
|
rodneyrehm
Administrator
Joined: 30 Mar 2007
Posts: 698
Location: Germany, border to Switzerland
|
| Posted: Tue Jul 10, 2012 6:47 am Post subject: Re: Is Smarty secure? |
|
|
| Seregwethrin wrote: | | We started to develop a software and we made a decision of not using 3rd party libraries, frameworks or plugins as much as we can, because of having a more secure application. |
Have you thought about that idea really hard? Any software will have bugs and security problems. In the open source world, unlimited numbers of eyes can spot them. For projects like smarty, hundreds of eyes have spot them in the past.
I don't see how avoiding well tested open source libraries will help your security concerns. You are more likely to repeat mistakes others had already fixed.
| Seregwethrin wrote: | | I love smarty and I want to use it. But I need to give some arguments to my friends about Smarty, and why we can trust it. |
Smarty is probably the single best known template engine for PHP. it's been around for over a decade. [/quote]
| Seregwethrin wrote: | | What can I say about this? What makes Smarty Secure than any other framework? |
Going out on limb here: no. - although I have no idea what you are comparing to.
_________________
Twitter |
|
| Back to top |
|
Seregwethrin
Smarty n00b
Joined: 17 Nov 2006
Posts: 3
|
| Posted: Tue Jul 10, 2012 8:22 am Post subject: |
|
|
ok, what you said is reasonable. We are on the same side here 
Can you give me some websites which uses Smarty where security is concern to support our claim? Maybe you can PM me if you don't want to put it public. I would be grateful if you do that. |
|
| Back to top |
|
rodneyrehm
Administrator
Joined: 30 Mar 2007
Posts: 698
Location: Germany, border to Switzerland
|
| Posted: Tue Jul 10, 2012 8:58 am Post subject: |
|
|
| Seregwethrin wrote: | | Can you give me some websites which uses Smarty where security is concern to support our claim? |
If I would consider Smarty (in particular, but Twig, phpTAL, … are in the same boat) a security threat, I wouldn't use it (/them). I'm not even sure in which direction your "security considerations" are headed.
Are you afraid of XSS (CrossSiteScripting)? Smarty can auto-escape all data poured into it. But it still allows you - the developer - to &%#& things up and introduce holes.
Other than XSS I don't see (m)any situations where Smarty could be an entry point. CSRF (CrossSiteRequestForgery) is something you'd handle in your request handling (controller, if you're talking MVC). SQL-Injections? Sorry, database is not (and really should never be) Smarty's concern. Code injection? Unless you - practically deliberately - &%#& things up real good, I don't see this happening. I could continue, but maybe you should rather have a look at OWASP (the PHP cheat sheet in particluar).
| Seregwethrin wrote: | | Maybe you can PM me if you don't want to put it public. I would be grateful if you do that. |
I don't see how "hush hush" is any help to web security at all. If a library has got something to hide, you might want to avoid them. Obfuscation and Concealment are everything but reliable security practices.
There's a list of Sites Using Smarty. This list is - obviously - far from complete. It's missing systems like Serendipity (blog-ware) and Prestashop (shop-ware) and whole lot more…
_________________
Twitter |
|
| Back to top |
|
Seregwethrin
Smarty n00b
Joined: 17 Nov 2006
Posts: 3
|
| Posted: Tue Jul 10, 2012 4:50 pm Post subject: |
|
|
| Thanks for your thoughts, I'll definitely add them to my claim. |
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
