Its allure as an alternative/proxy to ASP/JSP makes everyone blinded IMO
just because of GPL. It’s pretty sad when a server side scripting engine
will allow Perl statements to be injected in GET parameters and cause major
damage after all the years of use and hype.
I am well aware of the scalability issues of a 1-tier solution and of PHP’s
security risks, which, as Frank points out, have made the news recently.
I’m not particularly worried about the Web site I’ve been working on, which
receives very little traffic, but I started wondering.
What if I renamed all the pages ".asp" instead of ".php"?
Basically, the question I’m asking is: how do hackers target PHP sites?
Is there any other means to guess that a page is generated by PHP except for its
suffix? Are there any HTML formatting rules that give away the CGI
language in which this page was generated?
Or do hackers just slam random pages with well-known GET and POST exploits
and see what happens?