PHP - security etc

Andy Armstrong andy at
Wed Mar 7 13:54:10 GMT 2007

On 7 Mar 2007, at 13:34, Andrew Black wrote:
> I do recall that certain PHP based applications have a bad security
> reputation, but is this an aspect of the application or of PHP (or  
> a bit
> of both),

To be fair to PHP (I suppose one must) it's in part to do with its  
popularity. Most of the attacks on PHP sites are the result of  
automated scans looking for code with known vulnerabilities. It's  
pretty fruitful to look for a vuln in, say, Wordpress, because then  
you can just hit all the zillions of WP sites.

PHP does also make it easy for people who don't really know what  
they're doing to write working web apps. I regularly see, for  
example, glaring SQL injection vulnerabilities in naively written  
PHP. Again that's not entirely the fault of the language: it's an  
artifact of its ease of use.

Thirdly the PHP team have historically had a rather cavalier attitude  
to security. They've implemented a number of mechanisms (register  
globals, URL wrappers for fopen et al, etc) that have favoured ease  
of use over security.

Andy Armstrong,

More information about the mailing list