digg

Facebook Connect Join Digg About

Top 7 PHP Security Blunders

sitepoint.com Many of the PHP features can lead a programmer inadvertently to allow security holes to creep into a Web application. The popular security mailing lists teem with notes of flaws identified in PHP applications, but PHP can be as secure as any other language once you understand the basic types of flaws PHP applications tend to exhibit.

Who dugg this? Made popular Dec 21, 2005

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

39 Comments

show profanity settings
expand all
  • Ghazi, on 10/12/2007, -0/+4PHP is not to blame here... It's the dumbasses that don't know how to code!
  • mercnboy3, on 10/12/2007, -0/+4digg is written in php
  • Ghazi, on 10/12/2007, -0/+3"And the #1 PHP security blunder:

    USING PHP IN THE FIRST PLACE"

    What do you suggest we use? Coldfusion?
  • enygmadae, on 10/12/2007, -1/+3FYI, there's a response from Chris Shiflett (author of the Essential PHP Security book: http://phpsecurity.org/) that they moved from the comments over to the SitePoint forums...

    http://www.sitepoint.com/forums/showpost.php?p=2374757&postcount=9
  • scblock, on 10/12/2007, -0/+2It was looking pretty good until it insisted that you should turn magic quotes. Magic quotes was a ***** fix and causes far more problems than it is worth. If you're writing SQL queries, use the string escaping functions for your database (mysql_real_escape_string, for example), or use something like Pear with prepared SQL statements with ? placeholders. In fact I explicitly strip slashes from user input if magic quotes are turned on (since the user of software often doesn't have control of the server), and then _properly_ validate and clean the input.

    No dig.
  • Blitzenn, on 10/12/2007, -1/+3Why is it that when you can write bad code in PHP or some other 'third party' language, it's the programmer's fault for not understanding what they are doing (as it should be). It's not a fault of the language. When it is a Microsoft Product, such as Visual Basic or C#, it's Microsoft's fault for allowing tools to be made that people can use to build bad code. The double standard is overwhelmingly obvious as you browse the news over the last couple of years.

    If someone uses a hammer to fix a sticky key on their keyboard, and wrecks the keyboard in the process, do we blame the manufacturer of the hammer because there were not enough safeguards shipped with the hammer to prevent me from doing harm to things that I shouldn't do harm to? Why do we hold MS to a different standard that the rest of the business world? Perhaps the advent of some programming blunders in non-MS platforms will open the eyes of those who like to bah without understanding what they are talking about. It's bad coding by bad programmers, not a bad set of tools because you don't understand how to use them.
  • inactive, on 10/12/2007, -0/+2If it weren't for PHP I'd be broke right now :)
  • tacker, on 10/12/2007, -0/+2Must read for PHP beginners.
  • clevershark, on 10/12/2007, -0/+2To use ASP.NET you must server with Windows.

    So, right off the bat it's not really viable.
  • indiefan, on 10/12/2007, -0/+1"but keep in mind that recent developments have made it possible to generate MD5 collisions in less than an hour on standard PC hardware."

    umm, link anyone?
  • turbowaffle, on 10/12/2007, -0/+1If you are going to use the article to support one language and belittle another, you'd have to make sure your language of choice is invulnerable to unvalidated input, poorly written access control, and anything else in the article that wasn't specific to PHP. I think the only thing that pertained soley to PHP was the section about storing session data securely.
  • jo42, on 10/12/2007, -0/+1> ASP.NET

    For religious reasons, Microsoft products are forbidden here.

    Besides, if I cobble up stuff in PHP, I can run it on FreeBSD, Linux, Solaris and (gack! foo!) Windows. If I kludge stuff in ASP.NET, I am forever tied to the infidel Microsoft.
  • llbbl, on 10/12/2007, -0/+1PHP > ASP.NET + Clodfusion!!!!
  • BluParadox, on 10/12/2007, -0/+1"but keep in mind that recent developments have made it possible to generate MD5 collisions in less than an hour on standard PC hardware."

    umm, link anyone?"
    The program takes up more than 70gb of HD space, and to my knowledge it's not available for download (although you can submit a request to have cracked throught their website, which I am too lazy to go find).


    "It was looking pretty good until it insisted that you should turn magic quotes. Magic quotes was a ***** fix and causes far more problems than it is worth."
    The article didnt insist you turn on magic quotes, it said you need to check in your script to see if it is on, and if it isnt you need to act accordingly to validate your input (one could argue that even if it is on you need to do more to validate your input...)
  • skydive, on 10/12/2007, -0/+0Ok, the guy that wrote this article doesn't seem to know how to access associative arrays properly.
    He _did_ do it appropriately on the second page, but not the first; which just make this example inconsistence, which makes it just like 90% off all the php examples out there.
  • optroodt, on 10/12/2007, -0/+0If you're programming in PHP you really SHOULD know about these things, nothing new for me though.
  • bmcnitt, on 10/12/2007, -0/+0Agree that most all of these concepts apply to web application development in any language. (Because of its popularity, "PHP" is starting to become synonymous with web scripting in general -- kind of like "Kleenex" to facial tissues and "Xerox" to copy machines. I have had clients ask if I could program a "PHP" page for them not really understanding that PHP was a specific language. To them, PHP meant "web application".)

    Brian
    http://brianmcnitt.com
  • kdehead, on 10/12/2007, -0/+0essential reading for anyone beginning to program in PHP - you really should know these things. dugg.
  • BluParadox, on 10/12/2007, -0/+0"Sure, and how do we do that on our large enterprise class Sun boxes? Or our HPUX servers, or our departmental linux boxes?"
    Microsoft does have a whole line of enterprise level sever products... They cost money, but you can make the case that they actually make sense if you look at total cost of ownership. One of the major reasons large sites (amazon/google, etc) are often based on php has to do with the fact that linux and open source in general give you flexibility to recode parts of things to make them faster for your specific purpose, this means that on a very large scale open source can be more efficient. Being free helps, but it isn't enough by itself. I'd say that basically windows makes sense for the lower level enterprise market. Very high or low bandwidth sites are owned by open source (microsoft's fees are too great for smaller sites, and not enough flexitibility for the very large ones). You probably have something like this: blogs (linux) -> ford.com (windows) -> amazon.com (linux). There is no one size fits all solution
  • MindTrigger, on 10/12/2007, -0/+0
    I've been using Coldfusion since version 5 and I love it. It's not free, I'll give you that, but it's always done what I needed it to do perfectly.
  • kdehead, on 10/12/2007, -0/+0as a matter of routine, is if you are issueing a mysql delete, ALWAYS make sure that the var being passed is NOT blank.

    It doesn't matter what i've done in the code previously - i just do the following, always, so now its just second nature:

    if (trim($custindex)!='')
    {
    $query="DELETE FROM Customers WHERE CustomerIndex=$custindex";
    }

    yeah yeah - i know - should use libraries or abstraction. but sometimes i dont have those libraries to hand, or i'm just writing a quick, fire and forget PHP command line script...

    DELETE FROM Customers WHER CustomerIndex='';
    will empty the table Customers.
  • N3LDAN, on 10/12/2007, -1/+1mcarolan said "True, PHP does suck. But cf sucks even more. ASP.NET is the way forward"

    hahahahaha good one
  • Smokezz, on 10/12/2007, -1/+1ASP.NET... /shudder.
  • pyrolupus, on 10/12/2007, -0/+0I was ambiguous, sorry: I meant that I love both PHP and ASP.Net
  • inactive, on 10/12/2007, -2/+2>ASP.NET is the way forward

    Sure, and how do we do that on our large enterprise class Sun boxes? Or our HPUX servers, or our departmental linux boxes?

    Oh thats right, you think the world revolves around your little peecee.

  • nouse66, on 10/12/2007, -0/+0who the hell uses the exec() function in a web-app anyway? i can understand using it in a shell script type of environment...but on the web? why???
  • pyrolupus, on 10/12/2007, -0/+0ASP.Net does run on Linux (http://www.mono-project.com/Main_Page). I actually use--and love--both.
  • MindTrigger, on 10/12/2007, -0/+0@blitzenn

    What you are speaking of is easy to understand. Basically a large portion of the geeks online believe that Microsoft is the Devil, and open source is their personal Jesus. And why shouldn't they think that? It's fun to be a rebel and "stick it to the man". It makes people feel special.

    Personally, I don't give a rip. If something works, and works well, I will give it props. Back when I first needed to start adding real functionality to my websites, I had access to Coldfusion. Other than being a pro working with HTML and the other web standards, I had never done any "coding". I was already using a bunch of other Macromedia products, so it made sense. It was quick to learn, powerful, fast and did (still does) what I needed it to do. If you hear me make fun of PHP, ASP.net or anything else, it will only be to get a rise out of the e-penis throwing dorks around here.
  • wazoo, on 10/12/2007, -2/+1why would i use something that works on 1 platform. and how did this become a debate about which language to use. no one cares, use whatever you like.
  • wazoo, on 10/12/2007, -1/+0er i was speaking about asp.net, forgot the @mcarolan
  • kderby2000, on 10/12/2007, -1/+0ColdFusion runs on a variety of platforms, as well.
  • clevershark, on 10/12/2007, -2/+1>ASP.NET is the way forward<

    Very funny! Do you do children's parties?
  • MindTrigger, on 10/12/2007, -2/+0@Ghazi

    You so beat me to it. I saw that headline on my Google customized feed page and I was like..

    "bunder #1 is using PHP in the first place" lol
  • inactive, on 10/12/2007, -4/+1"USING PHP IN THE FIRST PLACE"

    Ahaha..
  • Mr.Scientist, on 10/12/2007, -3/+0Site uses on-click ad popups.
  • scanman20, on 10/12/2007, -5/+1"why would i use something that works on 1 platform."

    Um, you can use PHP on Windows and Linux.
  • MonsterMonster, on 10/12/2007, -6/+0"True, PHP does suck. But cf sucks even more. ASP.NET is the way forward"

    touche'
  • mcarolan, on 10/12/2007, -7/+0True, PHP does suck. But cf sucks even more. ASP.NET is the way forward
  • inactive, on 10/12/2007, -10/+0And the #1 PHP security blunder:

    USING PHP IN THE FIRST PLACE

    Thanks folks. I'll be here all week. Enjoy the lobster.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.