The state of PHP security
Posted Dec 22, 2006 8:43 UTC (Fri) by trickie
Parent article: The state of PHP security
The problem is not that PHP 'encourages' bad security, but that there is a large body of PHP code out there that still have security mistakes everywhere, and those mistakes were introduced long ago. Most of the PHP code publicly available is for version 4, which is not taking advantage of alot of the work done recently to encourage best security practice.
If you are using the latest version of PHP (5.2.0) alot of the early config options and language *features* that can cause security issues, are gone, or set to a nicer default.
Things like PDO (with proper prepared statements, with emulation for rdbms that do not support them natively), the filter extension, and new differentiating between including remote files for execution and just opening remote files, provide an experienced developer with alot of tools to help secure their application.
Of course PHP is still easy to use, and there are still going to be alot of people who have no proper software engineering experience using it, with or without regard to security. Its a progamming langauage. You do with it what you want. I mean i can make the same data filtering mistakes some people make with perl, python or any other langauge.
Too bad Stefan is gone, his contributions to PHP were enormous. Thanks for your time Stefan.
to post comments)