Black Magic Code

Friday, April 06, 2007

About PHP security...

I saw a link on programming.reddit that was about PHP security. It was a few slides of which vulnerabilities a inexperienced PHP coder can introduce. Take a look for yourself. These are the most common and quite easily exploitable holes in your garden variety of PHP "application".

Now the holes in them selves aren't that interesting. It is this comment I found in the discussion on reddit about the pdf slides above.

That's one of the things I don't like about PHP's culture and philosophy. They think it's the programmer's fault. The programmer should have to do all this by hand every single time. The programmer shouldn't be given any help or supplied with any set of intelligent defaults.



That is the best thing ever written about secure coding in PHP. The PHP tool providers has a flawed culture when it comes to aiding the programmer in security. It has a very low barrier of entry to start programming in and it means that inexperienced people will use it to start coding. But the security aspects of writing less vulnerable code in PHP has a steep learning curve. Also this has to be done manually each and every time you accept user input. Do you see budding PHP coders thinking about security when they start out. Do you think that your average PHP monkey is thinking about security when sitting in his hot little room at the local web dev shop with his boss breathing down his neck and asking "is it done yet?" every five seconds.

Of course the programmer has some responsibility to see that his code is securely written, but the programming language should help him if he does a few mistakes in writing secure code. And that is up to Zend company to change their culture and philosophy when it comes to this.