SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Zealot
    Join Date
    Feb 2002
    Posts
    127
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is PHP unherently insecure?? (interesting article)

    Hi All

    I just read this article on the seven deadly sins of linux security and was somewhat surprised to see this line:

    "...On Toxen's "don'ts" list: Don't use PHP, even though it's convenient..."

    Is the author suggesting PHP has some kind of security problem?

    I would be interested to hear people comments on this.

    Regards, Ben

    Link to article
    Experience is that thing which lets you know you've made the same mistake yet again.

  2. #2
    chown linux:users\ /world Hartmann's Avatar
    Join Date
    Aug 2000
    Location
    Houston, TX, USA
    Posts
    6,455
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    Well if he is suggesting that, it is true with anything. PHP isn't any less secure as Perl, Python, or any other scripting language. How else are you supposed to create dynamic sites? I guess you could use C scripts or something but this guy is kind of being irrational. Maybe he works for Microsoft or something??

  3. #3
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Mail him and ask him for proof. Every script is only as secure as the author of it writes it.
    Of course there are things like SQL injection attacks and what else, but there are ways to protect your scripts against all this.

  4. #4
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Exactly, such as making sure that the data going to the database is what it's supposed to be Ie make bloody sure for user inputs; use Reg Exp. to validate ALL user inputs; do not trust the user.Simple as that really; and talking about security, what about .NET ? this has been known, as has other MS software in the past, to have bloody big gaping holes through out it's software;The reason the release a new patch every other week

  5. #5
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Hmmm... I don't know. On prior versions, PHP was configured with an option called register globals, which caused huge security issues back and forth all the time - it was not an issue with PHP itself - it just made it really easy to make mistakes. I'm not sure how big a problems PHP has now, though, that he refers to.

    edit: He might be referring to the fact that PHP isn't strongly typed, which definetly shoots down a few obvious mistakes, but it's still up to the the developer - it's perfectly possible to write safe code in PHP - albeit it demands a little more skill.
    Last edited by M. Johansson; Jun 9, 2003 at 07:23.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  6. #6
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dr Livingston
    Exactly, such as making sure that the data going to the database is what it's supposed to be Ie make bloody sure for user inputs; use Reg Exp. to validate ALL user inputs; do not trust the user.Simple as that really;
    Indeed it is. So true.

    and talking about security, what about .NET ? this has been known, as has other MS software in the past, to have bloody big gaping holes through out it's software;The reason the release a new patch every other week
    Stop trolling.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  7. #7
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Patches are released for every software package, Microsoft or not, just the fact that Microsoft is so huge and so many people use it, people seem to find more bugs, because so many more people use it. I find this to be an advantage, because there ends up being less bugs than other software, even though more are reported.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  8. #8
    chown linux:users\ /world Hartmann's Avatar
    Join Date
    Aug 2000
    Location
    Houston, TX, USA
    Posts
    6,455
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    But why did the guy single PHP out? There has to be a reason he stated what he did...

    No matter what his reason, I still think it is an irrational thing to say. The web is inherently unsecure, if you want your computer, your website, or your scripts to be secure, unplug your server from the internet and you will have that security.

  9. #9
    Prolific Blogger silver trophy Technosailor's Avatar
    Join Date
    Jun 2001
    Location
    Before These Crowded Streets
    Posts
    9,446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Might be that safe mode is turned off by default. There is the possibility of security issues with that.

    Aaron
    Aaron Brazell
    Technosailor



  10. #10
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Links:
    Linux security: The seven deadly sins

    Real World Linux Security: Bob Toxen's Perspective
    That is the "Toxen" mentioned in the quote.

    Anyway... I'm sure that in his work as a consultant he has just seen a whole crap-load of PHP scripts that were insecure and adopted the attitude that PHP is likely to facilitate a security vulnerability. That's my bet.
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  11. #11
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by samsm
    Anyway... I'm sure that in his work as a consultant he has just seen a whole crap-load of PHP scripts that were insecure and adopted the attitude that PHP is likely to facilitate a security vulnerability. That's my bet.
    My money is on that, too.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  12. #12
    SitePoint Zealot
    Join Date
    Jun 2003
    Location
    New York City
    Posts
    117
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Any script in any programming language can be written to be insecure, so, making a sweeping statement like that about PHP is just dumb. And even though data isn't typed very strongly in PHP, it's very easy to force a type or check the type with functions like is_numeric().

    By the way, the title of this thread has a non-existent word. It should be INherently not unherently.

  13. #13
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    probably a typo... u is right next to i.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  14. #14
    Yugo full of anvils bronze trophy hillsy's Avatar
    Join Date
    May 2001
    Location
    :noitacoL
    Posts
    1,859
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by M. Johansson
    My money is on that, too.
    His money probably is as well
    that's me!
    Now A Pom. And a Plone Nut
    Broccoli Martinez Airpark

  15. #15
    SitePoint Member fourhorses's Avatar
    Join Date
    May 2003
    Location
    Albuquerque, NM
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This has probably been said in this discussion, but here's my $.02:
    Of course PHP is inherently insecure. So is attaching the server that it's running on to the network. If you want an inherently secure system, remove all software (including the OS) and remove it from the network.

    Natch.

    Later,
    4Horses


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •