Is PHP unherently insecure?? (interesting article)

**ben_m_gunn** · Jun 8, 2003 19:06

Hi All

I just read this article on the seven deadly sins of linux security and was somewhat surprised to see this line:

"...On Toxen's "don'ts" list: Don't use PHP, even though it's convenient..."

Is the author suggesting PHP has some kind of security problem?

I would be interested to hear people comments on this.

Regards, Ben

Link to article

**Hartmann** · Jun 8, 2003 20:52

Well if he is suggesting that, it is true with anything. PHP isn't any less secure as Perl, Python, or any other scripting language. How else are you supposed to create dynamic sites? I guess you could use C scripts or something but this guy is kind of being irrational. Maybe he works for Microsoft or something??

**Icheb** · Jun 9, 2003 05:53

Mail him and ask him for proof. Every script is only as secure as the author of it writes it.
Of course there are things like SQL injection attacks and what else, but there are ways to protect your scripts against all this.

**Dr Livingston** · Jun 9, 2003 07:06

Exactly, such as making sure that the data going to the database is what it's supposed to be

Ie make bloody sure for user inputs; use Reg Exp. to validate ALL user inputs; do not trust the user.Simple as that really; and talking about security, what about .NET ?

this has been known, as has other MS software in the past, to have bloody big gaping holes through out it's software;The reason the release a new patch every other week

**M. Johansson** · Jun 9, 2003 07:10

Hmmm... I don't know. On prior versions, PHP was configured with an option called register globals, which caused huge security issues back and forth all the time - it was not an issue with PHP itself - it just made it really easy to make mistakes. I'm not sure how big a problems PHP has now, though, that he refers to.

edit: He might be referring to the fact that PHP isn't strongly typed, which definetly shoots down a few obvious mistakes, but it's still up to the the developer - it's perfectly possible to write safe code in PHP - albeit it demands a little more skill.

**M. Johansson** · Jun 9, 2003 07:19

Originally Posted by Dr Livingston

Exactly, such as making sure that the data going to the database is what it's supposed to be

Ie make bloody sure for user inputs; use Reg Exp. to validate ALL user inputs; do not trust the user.Simple as that really;

Indeed it is. So true.

and talking about security, what about .NET ?

this has been known, as has other MS software in the past, to have bloody big gaping holes through out it's software;The reason the release a new patch every other week

Stop trolling.

**Jeff Lange** · Jun 9, 2003 12:02

Patches are released for every software package, Microsoft or not, just the fact that Microsoft is so huge and so many people use it, people seem to find more bugs, because so many more people use it. I find this to be an advantage, because there ends up being less bugs than other software, even though more are reported.

**Hartmann** · Jun 9, 2003 12:19

But why did the guy single PHP out? There has to be a reason he stated what he did...

No matter what his reason, I still think it is an irrational thing to say. The web is inherently unsecure, if you want your computer, your website, or your scripts to be secure, unplug your server from the internet and you will have that security.

**Technosailor** · Jun 9, 2003 12:27

Might be that safe mode is turned off by default. There is the possibility of security issues with that.

Aaron

**samsm** · Jun 9, 2003 13:01

Links:
Linux security: The seven deadly sins

Real World Linux Security: Bob Toxen's Perspective
That is the "Toxen" mentioned in the quote.

Anyway... I'm sure that in his work as a consultant he has just seen a whole crap-load of PHP scripts that were insecure and adopted the attitude that PHP is likely to facilitate a security vulnerability. That's my bet.

**M. Johansson** · Jun 9, 2003 17:19

Originally Posted by samsm

Anyway... I'm sure that in his work as a consultant he has just seen a whole crap-load of PHP scripts that were insecure and adopted the attitude that PHP is likely to facilitate a security vulnerability. That's my bet.

My money is on that, too.

**monty** · Jun 11, 2003 10:38

Any script in any programming language can be written to be insecure, so, making a sweeping statement like that about PHP is just dumb. And even though data isn't typed very strongly in PHP, it's very easy to force a type or check the type with functions like is_numeric().

By the way, the title of this thread has a non-existent word. It should be INherently not unherently.

**Jeff Lange** · Jun 11, 2003 10:39

probably a typo... u is right next to i.

**hillsy** · Jun 11, 2003 10:53

Originally Posted by M. Johansson

My money is on that, too.

His money probably is as well

**fourhorses** · Jun 11, 2003 12:35

This has probably been said in this discussion, but here's my $.02:
Of course PHP is inherently insecure. So is attaching the server that it's running on to the network. If you want an inherently secure system, remove all software (including the OS) and remove it from the network.

Natch.

Later,
4Horses

User Tag List

Thread: Is PHP unherently insecure?? (interesting article)

Thread Tools

Display

Is PHP unherently insecure?? (interesting article)

Bookmarks

Bookmarks

Posting Permissions