SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 42

Thread: is PHP Secure?

  1. #1
    Smart programmer silver trophy M.Zeb Khan's Avatar
    Join Date
    Jan 2004
    Location
    Luton, Beds
    Posts
    1,791
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    is PHP Secure?

    I am learning PHP now a days, and I will be moving all the scripts/pages of my site from ASP to PHP, Just want to know is PHP secure than ASP?

    And what things I need to take care of in the code to make it secure, ?

    And is it good to run PHP on Windows Server? because I love my winServer, and not in mood of moving to Linux

    Waiting for responses
    Last edited by M.Zeb Khan; Dec 28, 2004 at 16:05. Reason: I wrote goot instead of good :)

  2. #2
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, PHP is fine to run on a windows based server! I've been running it for ages with no problems at all!

    PHP is only as secure as the code you write for it. Make sure that when you code PHP as with any language you validate every single form of user input!

    - Mark

  3. #3
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    What's secure & what's not really depends on how you use it. Lets just consider that PHP is more secure than ASP. But sloppy PHP coding can make your website more vunerable than an avg. ASP website. So its not about what's secure, its about how secure your script is.

    There's nothing wrong with either PHP or ASP. You can use any of them as you want. Just watch out what you are coding & how secure is that.
    As for making your script secure, well, the thing is that if you are using a database, then the first priority should be to thwart an SQL Injection attack.

    And though PHP is generally run on Linux, there's no problem in running PHP on Windows with IIS. Its just that you won't be able to use those clean URLs that people make us of in their PHP websites(actually you need Apache for that, not Linux). There's one advantage of using PHP on Windows, you can use COM with PHP, you can access & use ADO in PHP to connect to Access or SQL Server.

    I've been using PHP on my windows machine for over an year now without any problems.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  4. #4
    SitePoint Evangelist
    Join Date
    Jul 2000
    Location
    Warwickshire, England
    Posts
    557
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    there are isapi rewrite modules

  5. #5
    SitePoint Wizard Sillysoft's Avatar
    Join Date
    May 2002
    Location
    United States :)
    Posts
    1,691
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In my opinion php is meant for nix as well as mysql is meant for nix. Even in the manual on mysql site it once stated it was optimized more for nix. Dunno if that is still the case. With my experience php is slower on Windows. Though I was using IIS, but I dont think apache would be any better.

    PHP is easier to configure on windows then it is on linux, for example enabling dlls to run functions like COM (COM only for Windows). There are some configs you can change to make php more secure, such as making sure Register Globals is off and allow_url_fopen off, safe_mode on,session.save_path is not pointed to insecure folder and mysql.allow_persistent Off

    Stuff like that helps secure your php server more. The rest is up to how you code. Being a windows server though you have to think about other possible vulnerabilites, like the fact its a MS product

    Silly

  6. #6
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Parry Sound, ON
    Posts
    725
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had some troubles with running PHP on Windows but that's probably just because I'm so used to the *nix ways of doing things (and I didn't have control of the server...poop)

    THere are security concerns with PHP, just as there are with ASP and with Apache and with everything else. My suspicion is that PHP is more secure "out of the box", but I have absolutely no proof of that. Most problems with PHP scripts (and ASP scripts and Perl scripts too) comes down to not checking user input properly, as mentioned above. Make sure register_globals is off, safe_mode is on, and either magic_quotes_gpc is on or you know what to do if it's not. Properly escape anything to be used in a database query. Be anal about what's allowed in incoming $_POST and $_GET. Be paranoid about anything to be used in eval() or system() or the like. Be paranoid about using $_GET variables to decide what to include(). Use the preg functions or store possible choices in an array when deciding whether incoming $_GET variables make sense. Do NOT use same user/pass on logins, FTP access, and database access.

    We recently had some websites defecated on through use of PhpBB forums. Don't trust third-party scripts, even venerable ones. PHP has sufficient power to get you your server rooted if you're not careful. But the language itself, especially when used as an apache module, is as safe as anything.

    My $0.02

  7. #7
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  8. #8
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by Sillysoft
    Being a windows server though you have to think about other possible vulnerabilites, like the fact its a MS product
    You are saying that as if non-MS products are not vulnerable.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  9. #9
    Free Geek computerages's Avatar
    Join Date
    Oct 2004
    Location
    /dev/null
    Posts
    1,071
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In my opinion, PHP is more secure than ASP and more powerful. You could do anything with PHP, which you might not be able to do with ASP. Such as, PHP supports the wide variety of database servers, but ASP suopports only MS-SQL or ODBC (as far as I know).. And another advantage of using PHP that it is an opensource, you could develop it yourself if you know C language; on the other hand, you have to pay money to Micrsoft if you are using ASP...

  10. #10
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by computerages
    In my opinion, PHP is more secure than ASP and more powerful. You could do anything with PHP, which you might not be able to do with ASP. Such as, PHP supports the wide variety of database servers, but ASP suopports only MS-SQL or ODBC (as far as I know)..
    Oh yeah, then you don't know much I'd have to say. Its ok that PHP has built in functions for PgSQL, MySQL, Firebird & other databases but then ODBC is not bad at all. The thing is that with ODBC, you can connect to any database that's installed on your server, & I mean any, no puns attached. If there's a database which PHP doesn't support natively(& there are many, rest assured about that), then PHP also has to resort to ODBC.
    And I'd like to hear about a thing which you can do with PHP but not with ASP.

    Quote Originally Posted by computerages
    And another advantage of using PHP that it is an opensource, you could develop it yourself if you know C language; on the other hand, you have to pay money to Micrsoft if you are using ASP...
    Oh yeah?? The last I heard, you have to pay a webhost to use PHP, opensource or not, just like you pay for ASP. So how the heck it is an advantage? If you are saying that you can use your own build of PHP, then you'd have to have a dedicated server to use your own build of PHP. In that case, you can extend the ASP functionality by making your own ISAPI Filters or COM DLLS. And they are easy to make in VisualBasic, than extending PHP by messing around in C.

    I'd suggest that you first get your facts right before you make any large comments like that & spreading misinformation. C'mon now, I'm getting a bit tired putting people correct about what mis-conceptions they have regarding PHP & ASP.

    I'm not saying that PHP is bad or any less than ASP. The development of ASP stopped quite a while ago, the next thing in is ASP.NET while PHP's development has been continuous in the meanwhile. Its inbuilt function library is quite rich. But then, ASP isn't a language, its a framework in which you use scripting languages like VBScript or JScript while PHP is a scripting language itself.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  11. #11
    Non-Member coo_t2's Avatar
    Join Date
    Feb 2003
    Location
    Dog Street
    Posts
    1,819
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    I'd advise everyone to read that *entire* section of the manual that samsm linked to. If you don't understand that stuff you're going to write really vulnerable scripts.
    PHP itself is probably no more vulnerable than any other language that is running on a computer that's connected to the internet. Web servers are inherently insecure. The best you can hope to do is to understand how you may be attacked and try to guard against it.

    --ed

  12. #12
    SitePoint Member
    Join Date
    Dec 2004
    Location
    Hudson, OH
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by asp_funda
    And though PHP is generally run on Linux, there's no problem in running PHP on Windows with IIS. Its just that you won't be able to use those clean URLs that people make us of in their PHP websites(actually you need Apache for that, not Linux).
    I know it's not ideal, but there is a way to have clean URLs with PHP using IIS. I ended up doing this as a last resort because we needed to switch to IIS (from Apache with clean URLs) and we couldn't change our URL structure. We ended up setting the 404 error page to a PHP file, which would then redirect all of the traffic for the site. So basicaly /article/my-article wouldn't be a real folder, and it'd call the 404 page. PHP would disect the URL and then load the proper page.

    Again, not ideal, but it helped me out in a jam.
    Patrick Lucas | blog [link]

  13. #13
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Parry Sound, ON
    Posts
    725
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So basicaly /article/my-article wouldn't be a real folder, and it'd call the 404 page.
    You HAD to have taken a s**t-kicking from Google for this...which is why 'clean URLs' are so coveted in the first place. Unless it doesn't actually send back a 404?

  14. #14
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by plucas
    I know it's not ideal, but there is a way to have clean URLs with PHP using IIS. ... We ended up setting the 404 error page to a PHP file, which would then redirect all of the traffic for the site.
    Yeah, I know about that one & yes its not ideal but serves the purpose if you do it right.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  15. #15
    Free Geek computerages's Avatar
    Join Date
    Oct 2004
    Location
    /dev/null
    Posts
    1,071
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by asp_funda
    Oh yeah, then you don't know much I'd have to say. Its ok that PHP has built in functions for PgSQL, MySQL, Firebird & other databases but then ODBC is not bad at all. The thing is that with ODBC, you can connect to any database that's installed on your server, & I mean any, no puns attached. If there's a database which PHP doesn't support natively(& there are many, rest assured about that), then PHP also has to resort to ODBC.
    And I'd like to hear about a thing which you can do with PHP but not with ASP.
    Well, you may want to read this article, it describes everthing you need to know about PHP and ASP. If you still don't think that PHP is more powerful than ASP, then you probablly you do not want to accept it in any way!
    Quote Originally Posted by asp_funda
    Oh yeah?? The last I heard, you have to pay a webhost to use PHP, opensource or not, just like you pay for ASP. So how the heck it is an advantage? If you are saying that you can use your own build of PHP, then you'd have to have a dedicated server to use your own build of PHP. In that case, you can extend the ASP functionality by making your own ISAPI Filters or COM DLLS. And they are easy to make in VisualBasic, than extending PHP by messing around in C.
    Well, but you still have to pay Micosoft to buy visual basic, and it costs more than $ 300! And who says you mess around in C? If you think that way then basically means you don't know how to program in C.

  16. #16
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Thumbs down

    Quote Originally Posted by computerages
    Well, but you still have to pay Micosoft to buy visual basic, and it costs more than $ 300! And who says you mess around in C? If you think that way then basically means you don't know how to program in C.
    Like I said earlier, get your facts right before spreading mis-information. I'm not being rude, all I'm telling you is that you are wrong & you don't know about it nor are you ready to accept it.
    Whoever said that to run ASP you need to buy VisualBasic is a first rate idiot. You can code ASP in a text-editor(you don't even need notepad, you can use any other editor like crimson, etc.).
    And you need to mess around in C to extend PHP. Its not simple as 1-2-3. And if you are a C guru, then that doesn't mean everyone is, no? And if anyone said that C is easier than VisualBasic(for creating COM for ASP), then I'd say that they are off their rocker.


    Quote Originally Posted by computerages
    Well, you may want to read this article, it describes everthing you need to know about PHP and ASP. If you still don't think that PHP is more powerful than ASP, then you probablly you do not want to accept it in any way!
    And as for that article, all I'd say is that its one of the rubbish articles I've ever read. I don't know what the author is trying to convey with all that. Even if its true that ASP takes a bit more execution time than PHP as its based on COM, then the same applies to PHP running on Windows as that too uses ISAPI filters. So the problem isn't ASP or PHP, its the server(IIS) or the OS(Windows), which are entirely different entities & which we are not discussing. Besides, JSP is even slower than ASP & PHP, so does that mean its crap? Try telling that to corporates who are running mammoth applications on JSP.
    What's this about using MS-SQL with ASP. You can pretty much use MySQL with ASP just as you can use MS-SQL with PHP. Files can be uploaded without COM in ASP & the mail components already come installed with the IIS, you don't need to buy them seperately.
    And yes, I'm not admitting that PHP is more powerful than ASP. Take into consideration that ASP's development was stopped 3-4 years ago. Now if you compare a PHP version of that time, you'll find that most of the functions which you use today weren't there then. What do you know, I've used PHP3 & using that was a pain in the neck until I saw PHP4. PHP wasn't upto ASP back then. If you are talking about now, then I already said that. PHP is now ahead of ASP3.0 as its development has been continous. But if you compare it with ASP.NET, then you'll find PHP still behind.


    I'm in no way undermining PHP's potential. I've already said that its inbuilt function library is perhaps richer than VBScript's & I quite like coding in it, its just that I feel its my moral duty to put people straight when they are wrong on the issues of PHP & ASP. Its a very touchy topic & lets not start another flame war on it, there are already loads of such threads on it here. So lets just get back on topic, shall we?
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  17. #17
    SitePoint Enthusiast
    Join Date
    Nov 2004
    Location
    Arizona, USA
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by asp_funda
    Whoever said that to run ASP you need to buy VisualBasic is a first rate idiot.
    I think he was probably referring to...

    Quote Originally Posted by asp_funda
    In that case, you can extend the ASP functionality by making your own ISAPI Filters or COM DLLS. And they are easy to make in VisualBasic, than extending PHP by messing around in C.
    ...and not trying to imply that you need VisualBasic to code ASP.

    Is PHP itself "secure"? Yes. As secure as the code you write.
    Is classic ASP itself "secure"? Yes. As secure as the code you write.

    I'd be more concerned with the "security" of the platform that you choose for implementation, rather than the language itself.

  18. #18
    SitePoint Wizard Sillysoft's Avatar
    Join Date
    May 2002
    Location
    United States :)
    Posts
    1,691
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by asp_funda
    You are saying that as if non-MS products are not vulnerable.
    No, what Im saying is MS is easy target. When Linux gets as easy as Windows then its time to look at Unix.

    Silly

  19. #19
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by Sillysoft
    No, what Im saying is MS is easy target.
    Yep, you are right there. Being the most popular OS has its downsides as well.


    Quote Originally Posted by Sillysoft
    When Linux gets as easy as Windows then its time to look at Unix.
    Probably!!
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  20. #20
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Security advisory stats from Secunia.com for 2003-2004:

    PHP 4.3
    http://secunia.com/product/922/
    11 advisories

    ASP.NET
    http://secunia.com/product/2173/
    4 advisories

    Microsoft IIS (I.e. ASP)
    http://secunia.com/product/1438/
    3 advisories
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  21. #21
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just scanning through the PHP 4.3 vulnerabilities Mattias has posted... most of them seem to be either be on an application-level, or a shared-server level. Both of those really aren't that big (well, okay, shared server issues aren't tiny either, but that's nothing that effects developers, it's web hosts - which doesn't apply for the sake of this conversation). I didn't look at the ASP vulnerabilities. (I'd rather not get into a flame way, you know.)

    PHP is simply as insecure as one can make it. The recent unserialize fix, and the long-old register globals fix: Both of those weren't security threats. PHP simply closed them up to prevent hacks from shooting themselves in the foot. All you have to do is check your input, and you're fine. You should be doing that in ANY language.

    Quote Originally Posted by Sillysoft
    No, what Im saying is MS is easy target. When Linux gets as easy as Windows then its time to look at Unix.
    Haha. Thing is, Linux has just as many (if not more) vulnerabilities, because they bundle a thousand and one applications alongside it.

    I'd love to know how PHP vs ASP became a Linux vs Microsoft debate. Strange.


    Edit: Hey, asp_funda, ever realized that your ASP Guru badge is a gray'ish colour, and the PHP Guru is a nice solid blue? Just kiddin' of course.

  22. #22
    SitePoint Enthusiast
    Join Date
    Nov 2004
    Location
    Arizona, USA
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Don't forget IIS 5.x (since win2k is still the majority, AFAIK)
    http://secunia.com/product/39/
    11 advisories

    and PHP 5.0.x
    http://secunia.com/product/3919/
    2 advisories


  23. #23
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by someonewhois
    Hey, asp_funda, ever realized that your ASP Guru badge is a gray'ish colour, and the PHP Guru is a nice solid blue?
    Yeah, my badge blends with the background of the SitePoint forums, showing a good integration with the community while yours just reflects the poisonous side of your mind(blue) & also reflects that your mood always is blue.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  24. #24
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by asp_funda
    Yeah, my badge blends with the background of the SitePoint forums, showing a good integration with the community while yours just reflects the poisonous side of your mind(blue) & also reflects that your mood always is blue.
    Yours also reflects the colour of the clouds, meaning you're obstructed. Mine, on the other hand, adds a nice contrast, stands out, and blends in with my avatar.

  25. #25
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by someonewhois
    Yours also reflects the colour of the clouds, meaning you're obstructed. Mine, on the other hand, adds a nice contrast, stands out, and blends in with my avatar.
    You are just jealous. I'll tackle you after I wake up.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •