PHP - security etc
Andy Armstrong
andy at hexten.net
Wed Mar 7 13:54:10 GMT 2007
On 7 Mar 2007, at 13:34, Andrew Black wrote:
> I do recall that certain PHP based applications have a bad security
> reputation, but is this an aspect of the application or of PHP (or
> a bit
> of both),
To be fair to PHP (I suppose one must) it's in part to do with its
popularity. Most of the attacks on PHP sites are the result of
automated scans looking for code with known vulnerabilities. It's
pretty fruitful to look for a vuln in, say, Wordpress, because then
you can just hit all the zillions of WP sites.
PHP does also make it easy for people who don't really know what
they're doing to write working web apps. I regularly see, for
example, glaring SQL injection vulnerabilities in naively written
PHP. Again that's not entirely the fault of the language: it's an
artifact of its ease of use.
Thirdly the PHP team have historically had a rather cavalier attitude
to security. They've implemented a number of mechanisms (register
globals, URL wrappers for fopen et al, etc) that have favoured ease
of use over security.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list