
PHP is as secure as any other major language - ayi
https://www.acquia.com/resources/podcasts/acquia-podcast-119-greatest-hits-2013-69-php-security-anthony-ferrara
======
programminggeek
I think there is a subtle, but important thing that the author is missing
because, while objectively, PHP as a turing complete language(I believe) you
can write basically anything in PHP both good or bad, there is the question of
what the language/framework/tools/community allows for or encourages.

In the earlier days of PHP, it was incredibly common to build SQL via strings
and nobody thought too much about it. Over time things have evolved and a
million little frameworks have sprouted up and it's less of a problem, but
that doesn't mean that PHP doesn't have a terrible history behind it of a
community not knowing or caring as much about security as they should.

Then, there is the fact that php files just sit on the server and can be
executed arbitrarily by just navigating to that file. That is a real security
problem in the case that someone is able to upload a php file to a machine.
Yes, I know a lot of frameworks make this harder to do now, but by default
apache/php lets you do this and you could argue it's one of the real strengths
of PHP(ease of deployment).

Last, because PHP is the biggest language it is the biggest target, which
means that writing secure code is that much more important. So many PHP
projects are open source, so if a vulnerability is found and you don't upgrade
your Wordpress or Drupal or Joomla or Magento or phpBB or whatever else app
you are running, your site is very likely to be compromised just because you
aren't staying up to date with updates, and A LOT of people don't update their
software, systems, or packages like they should.

So, PHP from a purely objective standpoint might be as secure as anything
else, but the human factors surrounding PHP make it a lot worse in my opinion
than other languages/platforms/frameworks from a security standpoint.

~~~
ceejayoz
I frankly wonder how much of PHP's poor reputation is directly related to the
high Google PageRank of W3Schools and their awful PHP/MySQL tutorials.

~~~
wil421
I had a teacher who recommended W3Schools to her students, she thought they
were related to W3C and she was shocked to learn they weren't.

~~~
gabordemooij
W3Schools actually has some nice content. Of course they tried to lure traffic
with the name confusion but I really think their content is useful for people
wanting to learn basic HTML or Javascript (or PHP).

~~~
ceejayoz
Anyone learning basics from W3Schools is likely going to have to unlearn the
bad practices they learned there. Their PHP/MySQL tutorials teach _bad_
coding.

------
pessimizer
Backed up by:

1) You can write insecure code in any language, and

2) Platforms written in other languages have security vulnerabilities.

 _When your argument in defense of a computer language can be applied to every
single computer language ever invented without any changes, it 's a sign that
it's not really an argument._

Here's my argument about how I'm as good at ping-pong as everyone else:

1) Other people can play ping-pong badly.

2) Other people have lost ping-pong matches.

~~~
j45
The people who the software is for, end users, rarely care which
language/framework things are written in.

We as developers can get too focussed on optimizing and making our own lives
easier and the net output to the end-user is relatively the same.

This does not mean to ignore what's out there that's new, but if you see a
platform re-inventing features and libraries that have existed already for
years in other platforms, you might be in for a few years of patching together
things.

~~~
pessimizer
Is this in reply to my comment, or just a a series of random assertions?

~~~
j45
In support and agreement with your assertions :)

------
draginator
> PHP is as secure as any other major language

Well this is patently false. You can find a significant difference in the
vulnerabilities found with PHP interpreter and core libraries then you find
with other languages.

It's not just that people program badly with it, it's a badly programmed
language that sets users up to fail and even when they do program securely PHP
itself is insecure.

Lets see how PHP compares....

PHP (348): [http://www.cvedetails.com/product/128/PHP-
PHP.html?vendor_id...](http://www.cvedetails.com/product/128/PHP-
PHP.html?vendor_id=74)

Python (17): [http://www.cvedetails.com/product/18230/Python-
Python.html?v...](http://www.cvedetails.com/product/18230/Python-
Python.html?vendor_id=10210) and also (20):
[http://www.cvedetails.com/product/2147/Python-Software-
Found...](http://www.cvedetails.com/product/2147/Python-Software-Foundation-
Python.html?vendor_id=1238)

Perl (20):
[http://www.cvedetails.com/vendor/1885/Perl.html](http://www.cvedetails.com/vendor/1885/Perl.html)

Ruby (42): [http://www.cvedetails.com/product/12215/Ruby-lang-
Ruby.html?...](http://www.cvedetails.com/product/12215/Ruby-lang-
Ruby.html?vendor_id=7252)

And so on and so forth. The only thing that rivals it is Java.

------
orf
I work with a group of penetration testers (who audit the security of
websites, ranging from top 100 sites to smallish ones), we find a lot more
issues with PHP sites than any other. .NET sites are often the most secure.

That being said, I once tested a ancient Java web app that recommended you use
IE 5.5 (for the latest features). The people who made it decided it would be a
good idea for the site to send the _database credentials_ to the _browser_ ,
which would then send them when requesting data. I face palmed pretty hard.

~~~
gabordemooij
That still does not mean the language itself is insecure. In my opinion this
rather indicates the developers responsible for building those vulnerable
sites lack some knowledge about proper web security.

~~~
abjorn
I believe that was more or less the point he was making - regardless of the
language or platform developers without proper understand can and will make
security mistakes.

~~~
michaelfdeberry
I agree, I think the problem is more so with developers that don't have a
proper understanding and with what comes out of the box.

Microsoft provides a lot of security features that are backed into asp.net
that are pretty trivial to enable. From what, little, that I know about php I
am not sure the same can be said. I believe that would make a bigger
difference about perceived security of a platform

------
SilkRoadie
I would be suprised if this is a revalation to many people. PHP itself has
been pretty solid for a while.

PHP had a bad wrap for a good reason. It deserves it. Looking past the various
naming inconsistencies etc, `register_globals` was a terrible idea. Then
`magic_quotes` was hardly much better. Not to mention the numerous "tutorial
websites" who ignore security altogether with their advice..

In recent years PHP has improved drastically. Unfortunately the stigma around
previous version has persisted with many people ill informed about what modern
PHP looks like.

~~~
einhverfr
I think the fundamental question is how easy it is to shoot yourself in the
foot without having any clue as to what you are doing wrong.. Comparing PHP to
C is somewhat of a bad comparison since C is famous for security gotchas. If
you are comparing PHP to C security-wise.... What's the comparison? All the
security of C with all the performance of a scripting language?

Now, the core language in PHP is a lot better than it used to be but in the
extensions you still see all kinds of braindead behavior like implicit (yet
both global and anonymous) database connections and the like. Since so much of
PHP is in extension-land this is somewhat troubling.

------
thirdsight
Probably contrary to common belief here but the headline is correct IMHO.

However this is because web programming as a whole is a crock from top to
bottom. PHP doesn't really add or subtract from that other than lowering the
barrier to entry with respect to compromising your server through stupid
architectural or coding decisions.

If we wrote our web pages in C, it's be just as bad. Rails has a terrible
history of vulnerabilities. Many times I've seen injection attacks in audited
Java and C# applications.

Everything can be a turd in the wrong hands.

~~~
mschuster91
In contrast, I'd say a pure-C web page would be way easier to open to attacks
than a PHP one.

String copy issues (termination), buffer/array overflows, machine-code (R)CE
vulnerabilities,... an endless list of stuff which the PHP runtime actually
protects a novice of.

~~~
cleverjake
and a webpage written in assembly would be even more likely to be able to be
attacked. Its a silly argument. No one is saying consider C for you next
website.

~~~
thirdsight
Actually I am considering C. It's pretty easy to write a CGI that Apache can
call. Process startup is pretty cheap on UNIX and it's secure if you suexec,
chroot it and know how to write C code that isn't full of holes.

[http://undeadly.org/](http://undeadly.org/) is written in C. Source:
[http://undeadly.org/undeadly-src.tar.gz](http://undeadly.org/undeadly-
src.tar.gz)

~~~
jorgecastillo
Wow! I didn't know that, I've always thought it was written in Perl.

------
nikic
Some languages make writing secure code easier than others. When it comes to
web-related code of semi-good programmers, I'd conjecture that the amount of
vulnerabilities is directly proportional to the amount of magic involved.
Early PHP had lots of magic - things like register globals or magic quotes. By
now no sane developer uses those things anymore (well, and they were removed).
The plethora of recent Rails vulnerabilities was also caused by various
magical behavior, especially in parameter parsing. (Actually, I'd expect
modern Rails code to have more vulnerabilities than modern PHP code, because
they still have a lot more magic involved.)

------
btilly
The headline is false. As repeated problems like
[https://www.idontplaydarts.com/2010/07/mongodb-is-
vulnerable...](https://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-
to-sql-injection-in-php-at-least/) demonstrate, PHP is routinely vulnerable to
security problems that other languages are not.

The reasons are a combination of things. The language tries to volunteer to do
too much for you by default. The environment it is run in tries to do too much
for you by default. The past defaults were even worse. A lot of available
software in PHP was written with no attention to security, and it still shows.
And it has attracted a community that fails to recognize these things as
problems.

Yes, in theory you can write PHP and make it as secure as anything else. In
practice it doesn't happen that way. And until PHP developers stop patting
themselves on the back and assuring themselves that they are really OK, they
will continue to have big problems.

~~~
ayi
If you blindly trust user-generated data and use it as database connection
credential or in a SQL string, i do not think this is a problem of PHP.

If you don't use prepared statements with PDO, i still don't see this as PHP's
problem. This is a unqualified programmer problem.

refer to:
[http://www.phptherightway.com/#databases](http://www.phptherightway.com/#databases)

~~~
btilly
You don't get it.

In the case of MongoDB, a system that was designed to make SQL injection
attacks a non-issue, in which they were a non-issue in other languages, were
noticed several years later to suffer from SQL injection attacks in PHP and
PHP only.

The cause is that the language, behind programmers backs, could let users
supply a data structure where it looked like you'd only get a string. And
would only have had a string in other languages.

PHP is not the only language with problems like this. For example Ruby on
Rails about a year ago had a series of bugs that were due to a similar design
flaw. But this type of mistake has, for years, been more common in PHP than in
any other programming environment. And PHP programmers like you who think that
they can just follow a couple of well-known guidelines for databases and be
safe, who fail to understand when you are told directly that the problems are
bigger, are a big part of why PHP continues to have these problems.

~~~
stephenr
No I think YOU don't get it.

Anything sent to a web app via HTTP is user generated content. You can't
assume it is ANYTHING.

~~~
btilly
The point is that if you build a data structure for MongoDB in any language
other than PHP, and just include the user parameter where it belongs, the only
thing that the user can supply there is a string and it is easy to verify that
there is no possible security problem. MongoDB's APIs were designed around
this fact as an easy way to avoid the possibility of SQL injection type
attacks.

In PHP the exact same approach turned out to be a security hole because if the
user supplies the right input you get a data structure that is meaningful to
MongoDB.

As you say, you shouldn't assume anything about user generated content. But
PHP's willingness to parse that input and turn it into something the
programmer didn't expect to see often means that user generated content is
harder to deal with in that language than you should reasonably expect it to
be.

~~~
stephenr
Seriously how hard is it to call filter_var() or even is_string() to ensure
its a string?

~~~
btilly
It is impossible if you don't know you have to.

For several years if you followed the examples in the MongoDB docs, you
wouldn't have known you had to, because the people who wrote those docs didn't
know you did either.

~~~
stephenr
So not understanding the language you are writing an extension for is more
acceptable to you than allowing a basic but useful way to accept semi
structured data in http requests?

------
wereHamster

        "... you can write insecure code in it," he underscores his point,
        "but that's a fundamental problem in every single programming language"
    

No, there are languages where you _can 't_ write insecure code, where the
compiler doesn't allow it and will warn you when you do.

~~~
gabordemooij
Can you give an example? In the context of web development of course...

~~~
adamnemecek
[http://www.impredicative.com/ur/](http://www.impredicative.com/ur/)

[http://plv.csail.mit.edu/ur/](http://plv.csail.mit.edu/ur/)

~~~
gabordemooij
Never heard of this language. But thanks for sharing. This is an interesting
language. Not sure whether I should use it right away (always sort of tied to
a certain language and ecosystem, in my case PHP) but at least we can get some
inspiration from innovative approaches like this.

~~~
adamnemecek
It's a research language and it seems very rough around the edges so using it
in production might be a bad idea. That being said this is supposedly written
in the language [https://bazqux.com](https://bazqux.com).

------
morganherlocker
The most common vulnerabilities are in the frameworks and libraries
surrounding a language, not the actual language (there are exceptions). On top
of that, user/developer sloppiness is even more common than security bugs in
common frameworks. I would bet most servers that get compromised do so through
having things like root/password1 credentials or extremely obvious sql
injectable code.

------
semerda
The big problem here is too many "overnight learn to code in 24 hours"
developers choose PHP to develop by "cut & shut approach" using code they
acquired online from a dingy website. This yields insecure implementations.
And the cycle begins over and over.

Better languages have a far superior way to implement code following standard
industry practices & conventions. For example, how many ways are there to get
the length of a string in PHP vs say Python?

When there are too many ways to do some basic manipulations you start getting
many different code implementations doing the same thing. Also how many Built-
in Functions are included in PHP vs other languages? Too many is the answer.

Shall we even touch up on Unicode support? lol..

------
chrisrhoden
I would be genuinely shocked to hear anyone had made the point this article is
arguing against since register globals was disabled by default. PHP is awful
for all sorts of reasons, but the security angle here feels like a straw man.

------
romanovcode
Nobody said it wasn't secure.

IMO it's just a bit easier to write buggy/vulnerable code in PHP than other
languages. Or maybe I'm just a hater, don't know.

~~~
draginator
No. There are plenty of people that say PHP itself is insecure.

They are right.

Sure anybody can write insecure code in any language, but PHP makes writing
secure code much more difficult then other languages and even if you do write
secure code the interpreter itself has a pretty terrible track record.

------
kubabrecka
What the article completely ignores is the fact that there are plenty of
security issues in the implementation of the PHP interpreter. Just compare the
number of security advisories for bugs in PHP itself to bugs in
Python/Perl/Ruby/etc. There _is_ a difference.

------
rbsn
I am confused as to whether this article is trying to compare the security of
the language implementations (PHP Interpreter, JVM, Ruby Interpreter, V8) or
what vulnerabilities can be exposed in programs written in the language (SQL
injection, non thread safe, stack overflows) etc.

------
philjackson
[http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-
de...](http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-
design/#security)

