Re: PHP security (or the lack thereof)

[Ronald Chmara <ron@xxxxxxxxx>]

On Jun 21, 2006, at 4:52 PM, nabiy@xxxxxxxxxxx wrote:
> Trying to make the language 'safe' won't fix it because the language 
> is not the problem. The real problem is the way PHP is presented to 
> most new developers.
> PHP has been introduced as a tool for the web developer. As a language 
> its goal is "to allow web developers to write dynamically generated 
> pages quickly." (  http://www.php.net/manual/en/faq.general.php ).

Did you read Section IV of that same manual? I remember it quite well, 
having wrote some portions of it.

" PHP is a powerful language and the interpreter, whether included  in 
a web server as a module or executed as a separate  CGI binary, is able 
to access files, execute  commands and open network connections on the 
server. These  properties make anything run on a web server insecure by 
default."
...
 "The configuration flexibility of PHP is equally rivalled by the code 
flexibility. PHP can be used to build complete server applications, 
with all the power of a shell user, or it can be used for simple 
server-side includes with little risk in a tightly controlled 
environment. How you build that environment, and how secure it is, is 
largely up to the PHP developer."

From:
<http://www.php.net/manual/en/security.intro.php>

>  The focus then is to enable the web developer by giving him the tools 
> he needs to create dynamic content, with as little hassle as possible. 
> The web developer need only read a short tutorial ( 
> http://www.php.net/manual/en/tutorial.php ) and he is ready to read, 
> understand and implement the ideas presented in the various example 
> scripts on PHP.net. Unfortunately this situation leaves the web 
> developer uninformed and unprepared to face the hostile environment 
> that is the net.

You may be making some erroneous assumptions about who, or what, PHP 
quantifies a "web developer"  as. As the manual notes, PHP scales, 
security wide, from extremely rigid to extremely flexible, as needed. 
It is simultaneously being used as a multi-million-users piece of core 
software at sites such as Yahoo! and wikipedia, but it can also be used 
as a mail form processor at "Joe's bait and tackle". I don't think 
somebody who would ever consider the security section in the primary 
online manual as a "footnote" as having enough experience to call 
themselves a developer.

> the only real solution is to change the way the language is presented 
> to new developers. It must be presented in a manner that increases the 
> awareness of the developer so that he able to deploy his application 
> in a safe manner. This means that security needs to be taught from the 
> beginning rather than as a footnote, especially on sites where 
> authoritative teaching is given ( such as PHP.net ). - nabiy

If somebody doesn't know that security considerations are a core part 
of writing *any* software, they probably aren't that experienced of a 
developer yet. However, it might be a Very Good Idea(TM) to make a 
mini-security subsection in the tutorial/"Getting Started" section, for 
readers who skip over section IV.

FWIW, The manual is arranged as follows:
-----
Preface
I. Getting Started
II. Installation and Configuration
III. Language Reference
IV. Security
V. Features
VI. Function Reference
VII. PHP and Zend Engine Internals
VIII. FAQ: Frequently Asked Questions
IX. Appendixes
----

Note that Security is introduced just after the context of "how the 
language works"/"Language Reference" (so users can understand the 
security issues) and before "What the Language can do"/"Features".

-Ronabop
--
4245 NE Alberta Ct.
Portland, OR 97218
503-282-1370