LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Another PHP vulnerability?

Another PHP vulnerability?

Posted Jul 15, 2005 17:32 UTC (Fri) by ajross (subscriber, #4563)
In reply to: Another PHP vulnerability? by uravanbob
Parent article: Firefox marketing site hacked (News.com)

To be fair, I'm no PHP expert. Nonetheless, it seems to me that that
other comparable languages (Perl, Python, Ruby) have not, in fact,
been the subject of the number (or severity) of security flaws that
have been exhibited by PHP over the past few years.

While it's certainly true that there are no silver bullets for
security, it is not a corrolary that all software is equally secure.
In particular, some packages (like sendmail and wuftpd, which I
mentioned earlier) have had a history of such common and severe
security flaws that they have largely been dropped by the community in
favor of other implementations.

Basically, I was wondering aloud whether this point has been reached
by PHP. Feel free to prove me wrong, but also be open minded to the
other, potentially more secure options available.

(Log in to post comments)

Another PHP vulnerability?

Posted Jul 15, 2005 17:41 UTC (Fri) by MenTaLguY (subscriber, #21879) [Link]

Part of the problem is not technical differences, but simply that PHP culture doesn't appear to be very security-conscious compared to many other language cultures. So PHP is simply higher-risk as a result.

Another PHP vulnerability?

Posted Jul 15, 2005 17:48 UTC (Fri) by jwb (guest, #15467) [Link]

Yeah no kidding. For, oh, a decade there was no safe way to construct a SQL query in PHP. You could only build the query by concatenating strings and escaping special characters in tainted information. But this only works to a point, and isn't as secure as bound variables.

Also the way a URI query parameter overrides the PHP namespace is horrible.

Possibly, when PHP 5.1 is released, mysql and postgresql users will get bound parameters via the PDO. Maybe. When available. But not for other databases.

Note that I'm not even claiming that SQL injection is the main problem in PHP. The complete lack of scoping rules is the main problem.

Another PHP vulnerability?

Posted Aug 8, 2005 21:36 UTC (Mon) by barrygould (guest, #4774) [Link]

Also the way a URI query parameter overrides the PHP namespace is horrible.

IIRC, this was fixed in PHP 4.1 (it is now a .ini file option, default is off).

Barry

Another PHP vulnerability?

Posted Jul 15, 2005 18:55 UTC (Fri) by arcticwolf (guest, #8341) [Link]

Lots of bad things can and have been said about sendmail's security record, true, but it's still the most widely-used MTA by far, and even security-conscious projects like OpenBSD do include sendmail as the default MTA.

Just food for thought.

Another PHP vulnerability?

Posted Jul 15, 2005 19:28 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

sendmail also went through a ground-up rewrite (version 8 IIRC) and has been pretty good since that point. it's a far cry from the bad old days of sendmail

Another PHP vulnerability?

Posted Jul 16, 2005 1:15 UTC (Sat) by dberkholz (subscriber, #23346) [Link]

To be fair, I'm no PHP expert. Nonetheless, it seems to me that that other comparable languages (Perl, Python, Ruby) have not, in fact, been the subject of the number (or severity) of security flaws that have been exhibited by PHP over the past few years.
Do you think that could be because of the relative popularity of various languages?

Another PHP vulnerability?

Posted Jul 17, 2005 4:18 UTC (Sun) by vonbrand (subscriber, #4458) [Link]

To be fair, I'm no PHP expert. Nonetheless, it seems to me that that other comparable languages (Perl, Python, Ruby) have not, in fact, been the subject of the number (or severity) of security flaws that have been exhibited by PHP over the past few years.

I'm sure most of the exposure PHP security has gotten is just due to the fact that it is used on webservers, where it (by definition) is easily reachable, and security problems are rewarding to exploit. If webpages were instead written in FORTRAN, we'd be hearing about security vulnerabilities in that venerable dinosaur instead.

Another PHP vulnerability?

Posted Jul 19, 2005 10:19 UTC (Tue) by job (subscriber, #670) [Link]

Getting dangerously close to that old Windows vs. Linux argument now, aren't we? If you had tried other web development languages than PHP you would know for example how much more difficult it would be to exploit something with Perl in tainted mode than it is under PHP.

And all the criticism above about missing scopes and proper database routines are valid. PHP is in essence a clone of Perl 4 intermixed in HTML. A lot has happened with Perl since then. You might want to look at what Mason or Maypole does now. Ruby on Rails seems to be very hot right now, I don't really like it but it is light years ahead of PHP architecturally.

No, there is no need to stick with PHP. Just leave it with sendmail 6 and bind 8 in the binary dustbin.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds