Comments on: PHP Insecurity: Failure of Leadership http://www.greebo.net/2006/01/04/php-insecurity-failure-of-leadership/ mostly useless crap from me Sun, 21 Feb 2010 00:51:44 +0000 http://wordpress.org/?v=2.9 hourly 1 By: Security And Caffeine http://www.greebo.net/2006/01/04/php-insecurity-failure-of-leadership/comment-page-1/#comment-17392 Security And Caffeine Fri, 30 May 2008 14:35:14 +0000 http://www.greebo.net/?p=320#comment-17392 [...]  It’s fact, it happens; I would venture that it’s the point of PHP.  Now, PHP is often regarded as insecure, but, as many php professionals will argue, this is a failure of novice developers, not the [...] [...]  It’s fact, it happens; I would venture that it’s the point of PHP.  Now, PHP is often regarded as insecure, but, as many php professionals will argue, this is a failure of novice developers, not the [...]

]]> By: Michelle http://www.greebo.net/2006/01/04/php-insecurity-failure-of-leadership/comment-page-1/#comment-16098 Michelle Thu, 27 Dec 2007 21:30:43 +0000 http://www.greebo.net/?p=320#comment-16098 G'day, I hope this reaches you and it is probably an ass about way of doing it, but...I am an Aussie gal who just registered as a member of Aussie Vee Dubbers but can't complete it as I am having a problem downloading UltimaBB so as to enter the forum. It says either server can't url or contact the host, so here I am. Email with any help or updates... your baby pics are beautiful!!!! Now to just gat my baby Kombi Camper into community :) Cheers, Michelle G’day,
I hope this reaches you and it is probably an ass about way of doing it, but…I am an Aussie gal who just registered as a member of Aussie Vee Dubbers but can’t complete it as I am having a problem downloading UltimaBB so as to enter the forum. It says either server can’t url or contact the host, so here I am.
Email with any help or updates… your baby pics are beautiful!!!!
Now to just gat my baby Kombi Camper into community :)
Cheers,
Michelle

]]> By: vanderaj http://www.greebo.net/2006/01/04/php-insecurity-failure-of-leadership/comment-page-1/#comment-14813 vanderaj Thu, 11 Oct 2007 04:29:50 +0000 http://www.greebo.net/?p=320#comment-14813 Loler, I do this stuff as my day job, and so it is as factual as I can make it without breaking NDAs. I review nearly a hundred applications every year. Sometime, I find lots of stuff, others not so much. I've only done a few PHP reviews this year because our commercial customers stay away from it with good reason. The first PHP review this year was so bad, the report weighed in at over 80 pages (most of our reports are in the 30-40 page mark). I know that the customer was unprepared for our findings, and in fact, as far as I'm aware, they've made no serious effort to fix the issues we identified. It comes down to two things: a) PHP is simple to use. So many people use it b) the folks who are not CS majors do not even know what security is, and therefore the language designers have a responsibility to code to their primary audience. In PHP's case, it's hobbyist and first time programmers. The skilled programmer like you and me: we don't count. We are in the upper part of the bell curve. We can take care of ourselves regardless of how good or bad a language and its features are. A good systems language is a balance between power and security. For example, it's possible to write insecure Perl but there is SO much pressure to use things like taint mode and DBI's prepared statements, that pretty much all the Perl I see is heavily standardized, heavily commented, and pretty secure. That's one way a language which is heavily used in systems contexts, despite its many potential issues, is generally safe. Perl programmers are in my experience no better or worse than any other programmer. PHP has no such pressure. After coding in PHP since 2002 and still fixing up code five years later, PHP has so much to learn from security folks it's not funny. Personally, although I applaud the decision to finally kill PHP 4, it's far too late. PHP 4 will be on hosters until it becomes too expensive to host PHP any more from the sheer number of sites compromised. PHP 5 did not take off as fast as it should because it wasn't backwards compatible. I STILL to this day cannot stop support for PHP 4, even though it's got approximately 10 weeks to live. I can't guarantee MySQLi support, let alone PDO with MySQL support. I still don't have guaranteed access to transactions. Therefore, I can't leverage those technologies without writing three versions: PHP 4 only, functional mysql PHP 4/5, functional / OO hybrid using mysqli PHP 5, OO mostly, functional a little, with PDO and transactions on InnoDB (maybe) The last category, PHP 5 with PDO and with transactional support is such a tiny fraction of the PHP install base, that it is not worth writing to that platform. I would be better off writing a .NET on Mono as it nearly has as large an install base as PHP 5 with PDO and transactions. PHP is a toy language used for non-toy functions. It needs to die as it CANNOT be made safe in its current form considering its core audience. Andrew Loler,

I do this stuff as my day job, and so it is as factual as I can make it without breaking NDAs. I review nearly a hundred applications every year. Sometime, I find lots of stuff, others not so much. I’ve only done a few PHP reviews this year because our commercial customers stay away from it with good reason.

The first PHP review this year was so bad, the report weighed in at over 80 pages (most of our reports are in the 30-40 page mark). I know that the customer was unprepared for our findings, and in fact, as far as I’m aware, they’ve made no serious effort to fix the issues we identified.

It comes down to two things:

a) PHP is simple to use. So many people use it
b) the folks who are not CS majors do not even know what security is, and therefore the language designers have a responsibility to code to their primary audience. In PHP’s case, it’s hobbyist and first time programmers.

The skilled programmer like you and me: we don’t count. We are in the upper part of the bell curve. We can take care of ourselves regardless of how good or bad a language and its features are.

A good systems language is a balance between power and security. For example, it’s possible to write insecure Perl but there is SO much pressure to use things like taint mode and DBI’s prepared statements, that pretty much all the Perl I see is heavily standardized, heavily commented, and pretty secure. That’s one way a language which is heavily used in systems contexts, despite its many potential issues, is generally safe. Perl programmers are in my experience no better or worse than any other programmer.

PHP has no such pressure. After coding in PHP since 2002 and still fixing up code five years later, PHP has so much to learn from security folks it’s not funny.

Personally, although I applaud the decision to finally kill PHP 4, it’s far too late. PHP 4 will be on hosters until it becomes too expensive to host PHP any more from the sheer number of sites compromised. PHP 5 did not take off as fast as it should because it wasn’t backwards compatible. I STILL to this day cannot stop support for PHP 4, even though it’s got approximately 10 weeks to live.

I can’t guarantee MySQLi support, let alone PDO with MySQL support. I still don’t have guaranteed access to transactions. Therefore, I can’t leverage those technologies without writing three versions:

PHP 4 only, functional mysql
PHP 4/5, functional / OO hybrid using mysqli
PHP 5, OO mostly, functional a little, with PDO and transactions on InnoDB (maybe)

The last category, PHP 5 with PDO and with transactional support is such a tiny fraction of the PHP install base, that it is not worth writing to that platform. I would be better off writing a .NET on Mono as it nearly has as large an install base as PHP 5 with PDO and transactions.

PHP is a toy language used for non-toy functions. It needs to die as it CANNOT be made safe in its current form considering its core audience.

Andrew

]]> By: Loler http://www.greebo.net/2006/01/04/php-insecurity-failure-of-leadership/comment-page-1/#comment-14809 Loler Wed, 10 Oct 2007 23:15:17 +0000 http://www.greebo.net/?p=320#comment-14809 You are joking right? It seems you are not able to use PHP in the correct way. Why should a language force you to do some things in a specific way? Its up to you to code right, and decide what is right in your case. Sure there had been failures what PHP provided. But you shouldn't forget that PHP enabled people to start coding. Its normal that beginners may write insecure code, I can write dumb ass insecure code on every language I use when I am a beginner. So stop your clueless ranting and put some facts on the table that are not just theoretical or searching for some worse examples in a flood of applications. You are joking right?
It seems you are not able to use PHP in the correct way. Why should a language force you to do some things in a specific way? Its up to you to code right, and decide what is right in your case.
Sure there had been failures what PHP provided. But you shouldn’t forget that PHP enabled people to start coding.
Its normal that beginners may write insecure code, I can write dumb ass insecure code on every language I use when I am a beginner.
So stop your clueless ranting and put some facts on the table that are not just theoretical or searching for some worse examples in a flood of applications.

]]> By: Mark http://www.greebo.net/2006/01/04/php-insecurity-failure-of-leadership/comment-page-1/#comment-7784 Mark Wed, 18 Apr 2007 17:34:08 +0000 http://www.greebo.net/?p=320#comment-7784 Thank You Thank You

]]>