The state of PHP security
Posted Dec 21, 2006 4:00 UTC (Thu) by elanthis
Parent article: The state of PHP security
There are a few things PHP could do to improve security. Some of which are internal engine and module improvements (to avoid vulnerabilities in the C code), and some have to do with glaring problems in the language itself. Most of those have to do with much better automatic escaping.
(1) Register globals and magic quotes are still available. Completely remove them. I still see fresh code written today that depends on both as well as on PHP5 features.
(2) Database usage is still a hell, because you are expected to manually quote every input variable. This should be automatic. MDB2 explicitly removed the support for place-holders than PEAR::DB had (it can be added back in by asking for the "extension module"), and PDO also lacks these. The whole notion of forming SQL queries by concatenating strings and variables has to go.
(3) Scripting bugs are still way too common because PHP doesn't escape output by default. You have to explicitly do a call to htmlentities() on just about every echo statement or <?= construct. Compare this to the popular Smarty template system for PHP, which by default escapes all variable output, and you must instead explicitly mark output as being HTML safe if you don't want the escaping.
(4) For those shell escapes, which are common when doing web apps that integrate with various system bits, there's still no easy way to call a shell script without manually escaping all the input. Something that takes a list of arguments, instead of a string representing a command line, should be the defautl - perhaps _only_ - way of invoking other commands.
I've been working with PHP for some 7 years now, and it boggles my mind that these four issues are still not resolved. It's insulting, but my only conclusion is that the PHP designers are a bunch of security-clueless idiots who don't know how to design a language.
Don't even get me started on how the standard API is inconsistent, difficult to remember, and often surprising.
The only reason I'd tell people to stick with PHP is that there are no other mainstream, regularly-available web scripting languages that are any better. The few that exists just aren't available on most web hosts.
to post comments)