[nylug-talk] PHP Security

Michael B Allen mba2000 at ioplex.com
Sat Dec 30 12:55:16 EST 2006 

On Sat, 30 Dec 2006 11:28:45 -0500
Ruben Safir <ruben at mrbrklyn.com> wrote:

> I'm not sure that that means, but PHP's security problems are long
> documented and needn't really be rehashed here for the millionth time.

Well I've been on this list for several months and I don't recall the
discussion so ...

Where are these security problems documented exactly? I've never found a
good technical description of the problems. It's always vague discussion
on message boards with no real technical basis.

The "PHP is insecure" statements tick me off a little because it was
started by thoughtless finger pointing web developers with no programming
experience (and perpetuated by crowd psychology). The whole issue is
the result of the following:

1) Huge installation base results in corresponding increase in security
incidents. PHP is far and away the most popular server side scripting
languange next to possibly ASP.

2) Programmer mistakes that would have occured just as easily with any
language (e.g. not escaping characters that could be interpreted by SQL
processors and browsers).

3) PHP is frequently the first server side scripting language used by web
developers. It is not uncommon for web developers with no experiece to
blindly copy and paste chunks of PHP into their site (e.g. phpBB). This
behavior greatly facilitates 2.

4) High profile vulnerbilities in insecure third partly packages. The
phpBB package is arguably more responsible for "PHP is insecure" claims
than any other one issue.

5) Language bashing is a way for frustrated programmers to vent. Java has
been bashed heavily but recently PHP seems to be taking the lead. Sites
like Slashdot facilitates language bashing very well.

6) Programmers get bored and like to move to new languages every once
in a while to keep things interesting. This facilitates 5.

None of the above could justify eliminating PHP for a project.  In fact,
because PHP has been used in hostile environments for so long, I would
argue that a well written PHP site is more likely to be secure than in
just about any other language (except perhaps Perl because it has also
been used on the Internet extensively and it has taint checking). At
least, I would personally favor using PHP because I know I could write
the site in a secure way.

The only valid "PHP is insecure" argument that I have ever heard is
that PHP doesn't provide the higher level functions that ecourage secure
programming techniques like PreparedStatements and PDO. But for a number
of reasons it doesn't justify eliminating it as a candidate for a project.

Mike

PS: If you're thinking I'm bias because I have a PHP product, my product
is 99% C. The PHP language binding is a few hundred lines of code. We'll
be creating bindings for Python, Perl, Java, etc when the functionality
is fleshed out and solidified.

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

More information about the nylug-talk mailing list