PHP - security etc

dakkar dakkar at
Wed Mar 7 14:02:51 GMT 2007

Andrew Black wrote:
> I have something of a bias against PHP and am trying to rationalise
> or correct this view.

I have a bias against PHP programmers ;-)

> I do recall that certain PHP based applications have a bad security 
> reputation, but is this an aspect of the application or of PHP (or a
> bit of both),

both, but mostly it's the applications' fault (the language and
integrated libraries have their share of problems, but far less that a
normal application).

> Is PHP more or less open to nastys such as SQL injection?

For a lot of time, people built their SQL queries without placeholders.
And did not escape user-supplied values before printing them out. So,
SQL Injection and XSS. Some PHP libraries *have* support for
placeholders, and most PHP templating systems *have* escaping filters. A
lot of people just don't use them...

	Dakkar - <Mobilis in mobile>
	GPG public key fingerprint = A071 E618 DD2C 5901 9574
	                             6FE2 40EA 9883 7519 3F88
	                    key id = 0x75193F88

More information about the mailing list