[Techtalk] why is Active X in web pages evil,
but not Perl/PHP/Javascript?
Meredith L. Patterson
mlp at thesmartpolitenerd.com
Thu Jan 20 04:27:59 EST 2005
Quoting Carla Schroder <carla at bratgrrl.com>:
> As the subject line says, why is Active X in web pages evil, but not
> Perl/PHP/Javascript?
Perl and PHP run on the server side, rather than the client side. As such, they
have no access to the user's machine. It's still possible to use information
that's provided via the http protocol to scare people who don't know what
they're doing ("How does your webpage know that I'm using Mozilla?!?"), but all
processing is done on the server side, which sends back html[1] data and is
displayed.
PHP has security holes crop up from time to time, but they're a danger to the
server, not the client.
Javascript I know very little about (other than that I don't like writing it),
so I'll let other people talk about it. It does execute in the client's browser,
and there are indeed Javascript exploits. (One subtle difference: Javascript is
*compiled* on the server side, but the bytecode is *executed* on the client side.)
And I know nothing whatsoever about ActiveX, other than that most people turn
both it and Javascript off in their browsers.
[1] Ok, ok, it doesn't *have* to be html, but unless there's a mime-type defined
for it, you'll just be prompted to download it.
--mlp
More information about the Techtalk
mailing list