Tuesday, February 21, 2006

PHP -- Get Security or Become Irrelevant

While reading OWASP today I came across Andrew van der Stock's plea to the PHP Development team to shape up and make PHP more secure.

"After writing PHP forum software for three years now, I’ve come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort. PHP needs a proper security architecture, and support for newbie programmers.
...
There are so many ways to break PHP that it is impossible for even experienced security professionals like me to code in it securely all the time. There are nearly 4000 function calls, and many of them have unintended consequences or have been inappropriately extended by something else. At every turn, the PHP Development Team have made truly terrible “security” choices: register_globals, magic_quotes_gpc (and friends), PHP wrappers, safe mode, output, XML, LDAP, and SQL interfaces that intermingle data and query elements, which by their very nature are impossible to protect against injection attacks. All of these are broken. They are disjunct and have no security model. Some of the features, like PHP wrappers, are not well documented, and are a clear and present danger to PHP scripts and worse, they do not obey the weak “safe” mode restrictions. I bet few PHP coders are aware of them, let alone their security impacts."

Chris Shiflett is collecting further comments. In an unrelated tidbit, Henry Fuecks writes some great PHP articles at Sitepoint.

djuggler's personal blog is Reality Me and consults as Superior Internet Designs.