Is PHP Insecure? Hell No!

Sunday, May 6th, 2007 at 10:15 am

Its quite a common occurrence to hear that PHP has been described as “Insecure”. You will hear this among many developers that choose not to use PHP. However, this bad light has been created by it’s users. Let me explain.

PHP In The Name

There is an obsession with this language to place it’s name inside software titles. Let me give you a few examples.

  • phpNuke
  • phpMyAdmin
  • phpBB
  • phpWebSite
  • phpSurveyor

PHP Business Guru

I think you get the picture. With other languages, this is generally not the case. You rarely see rorNuke or perlWebSite. The reason this is a problem is that whenever there is a bug within one of these pieces of software, it is automatically associated with PHP. With phpNuke in the equation, there are regularly bugs in this software, and generally this rubs off onto the PHP project. The bugs in phpNuke have nothing to do with the PHP interpreter, it is purely bad code created by the developers.

Too Easy To Learn

PHP has opened the doors to many more developers, and have made it relatively easy for people to get started with web programming. Because of the little amount of knowledge needed to get a quick site up using PHP, this has caused learning developers to release insecure code. This in itself is not a problem, as everyone has to learn at some point. The problem comes when they market it with PHP in the name (as described above).

PHP It Works!

Because it is easy to use, this has meant that many discussion forums etc are filled with people asking why their PHP sites got haxored, of course PHP will usually get the blame for this. All it does is fill Google up with “PHP Hacked” etc. This is a real shame, as PHP is one of the best interpreted languages out there. If we can slowly ween developers away from the phpMyProjectName idea, then perhaps PHP will start to shine through even more… Phew, all this licking PHP’s arse is making me thirsty.

Further Security

You system is only as secure as it’s weakest point. If you’re running a LAMP stack on your own, then there are always ways that you could improve the security. It is also important that your code is as secure as it can be. The links below will help you secure your code and LAMP setup.




The Author

This post was written by Woolie who has lovingly made 101 other posts for Woolie’s World.

Post Information

Filed Under: Uncategorized, Web Development
Tags: , ,

Stay up-to-date with the discussion on this post by subscribing with RSS 2.0. Link to this post using the permalink. You can leave a comment, or trackback from your own site.

« Runscape fanfic.
More Garden Centre Filth - RoTW »

There are 20 Comments

Ben Nightingale

May 7th, 2007 at 7:46 pm

1

so, summary phpNuke phpBB are all written by babies,
php GOOD, babies BAD.

PHPDeveloper.org

May 7th, 2007 at 9:13 pm

2

Glen Wooldrige’s Blog: Is PHP Insecure? Hell No!…

Alastair Pearce

May 7th, 2007 at 9:47 pm

3

Your comment makes as much sense as…

Woolie

May 7th, 2007 at 9:50 pm

4

Its a trackback, an automatic notification from a site that has linked to you, usually from a blog.

The reason it looks fucked is because I couldn’t be bothered to style them in this version, but over the holidays I’m going to get stuck into the next one which should be as good as Johnny’s mum.

developercast.com » Glen Wooldrige’s Blog: Is PHP Insecure? Hell No!

May 7th, 2007 at 9:51 pm

5

[...] has pointed out an interesting article written up by Glen “Woolie” Wooldrige titled Is PHP Insecure? Hell No! Its quite a common occurrence to hear that PHP has been described as “Insecure”. You [...]

Daniel

May 8th, 2007 at 12:00 am

6

Though I totally agree with you, that’s it’s more a question of popularity among stupid and/or unexperienced users, php is one of the ugliest and inconsequently developed “languages” there is. It’s a scripting language made for quick hacks. That’s why there are all those f*ckd up method names in one core namespace. Due to its boost of popularity it got pushed to spheres where it shouldnt be.

Elmer

May 8th, 2007 at 9:00 am

7

It’s “out there”, not “out their”. Put knot yore trust in spel chequers.
To Daniel: you completely missed the point. Inconsistent function names and no namespaces have nothing to do with the alleged insecurity of php. You slashdotters will keep pointing it up like it was of any relevance.
gah, I’m angry this morning.

Woolie

May 8th, 2007 at 9:54 am

8

Daniel: Perhaps in the first few versions there were some inconsitancies as originally, PHP was not created as a language. However in the latest version (PHP5) I feel that everything has been ironed out and it is now sailing quite happily. Of course you are entitiled to your opinion, but perhaps you should give it another try?

Elmer: Thanks for noticing that, I have rectified the error. Perhaps you should lay off the coffee?

Elmer

May 8th, 2007 at 1:44 pm

9

Thanks for the advice, I’ll try to switch to tea.
Gregory Szorc (I’m not him, I’m just an anonymous coward) pointed out recently http://blog.case.edu/gps10/2007/04/29/so_many_untapped_php_features that there’s about 10 percent php5-ready servers, and suggested there’s probably about as much people using php5 features.
And take a look at php6 (still in early development) - they throw away register_globals, magic quotes etc. Honestly I think this is going to make it a niche language (even more compared to php5), because most of those crappy php* apps just won’t work without a complete rewrite.
I just wonder where will all these low skill developers go.
They will probably still use php4 on old servers, and fill the google results with “php sucks” statements :)

Woolie

May 8th, 2007 at 10:53 pm

10

Ah, they’re finally ditching register_globals. Its about time. I’m surprised they left it in PHP5. Backward compatibility I suppose.

I haven’t looked much into PHP6 yet, I’ve only heard Rasmus talk about it a little in a podcast. I should go take a look.

Spoon

May 9th, 2007 at 10:09 am

11

I totally agree with your article, and by the way; the PHP-license dosn’t allow you to name your projects with “PHP” in it’s name, without a written permission from the PHP-team;

3. The name “PHP” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net.

Woolie

May 9th, 2007 at 11:08 am

12

Thats interesting, I didn’t know that. However, I have heard that that only applies to commercial software created with PHP.

Ben Nightingale

May 9th, 2007 at 8:57 pm

13

phpNon-Commercial_Sports is still legal then?

i like how you have got a lot of ‘outsiders’ commenting….

Woolie

May 9th, 2007 at 9:06 pm

14

Yea there’s been a bit of hype over this article. Have a look at the links below.

Coder

June 28th, 2007 at 8:19 pm

15

Very interesting and also entertaining article.

PHP is a very easy language to learn.

I'm also a Coder

July 3rd, 2007 at 1:20 pm

16

We request Woolie’s return!

mongoose643

July 31st, 2007 at 5:23 pm

17

That’s a very good point. I have noticed in my own code how I have come from writing insanely insecure and buggy code to writing very clean, secure, and scalable code. Of course, for anyone, there is room to grow in that aspect. As for getting rid of all those ‘fix this noobs code’ methods will probably help to weed out a good many of the buggy programs and the coders that shouldn’t be coders. Although, I have to say if it weren’t for PHP, I wouldn’t be a programmer at all considering I learned using PHP - but I never did make use register_globals or magic_quotes. I followed the advice I found on forums that said to turn them off and handle that sort of thing on my own. This really helped when going from server to server by making sure that I wasn’t relying on how someone else decided to set up the server.

Ben Nightingale

January 25th, 2008 at 9:52 am

18


Hell No!

Ben Nightingale

January 25th, 2008 at 9:53 am

19

whys the time not my time? needs to be adjusted to -1hr!

Christopher

November 6th, 2008 at 3:08 am

20

Hmm … even this happens.

Leave a Comment?