Re: PHP security (or the lack thereof)
On Jun 21, 2006, at 4:52 PM, nabiy@xxxxxxxxxxx wrote:
Trying to make the language 'safe' won't fix it because the language
is not the problem. The real problem is the way PHP is presented to
most new developers.
PHP has been introduced as a tool for the web developer. As a language
its goal is "to allow web developers to write dynamically generated
pages quickly." ( http://www.php.net/manual/en/faq.general.php ).
Did you read Section IV of that same manual? I remember it quite well,
having wrote some portions of it.
" PHP is a powerful language and the interpreter, whether included in
a web server as a module or executed as a separate CGI binary, is able
to access files, execute commands and open network connections on the
server. These properties make anything run on a web server insecure by
default."
...
"The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a tightly controlled
environment. How you build that environment, and how secure it is, is
largely up to the PHP developer."
From:
<http://www.php.net/manual/en/security.intro.php>
The focus then is to enable the web developer by giving him the tools
he needs to create dynamic content, with as little hassle as possible.
The web developer need only read a short tutorial (
http://www.php.net/manual/en/tutorial.php ) and he is ready to read,
understand and implement the ideas presented in the various example
scripts on PHP.net. Unfortunately this situation leaves the web
developer uninformed and unprepared to face the hostile environment
that is the net.
You may be making some erroneous assumptions about who, or what, PHP
quantifies a "web developer" as. As the manual notes, PHP scales,
security wide, from extremely rigid to extremely flexible, as needed.
It is simultaneously being used as a multi-million-users piece of core
software at sites such as Yahoo! and wikipedia, but it can also be used
as a mail form processor at "Joe's bait and tackle". I don't think
somebody who would ever consider the security section in the primary
online manual as a "footnote" as having enough experience to call
themselves a developer.
the only real solution is to change the way the language is presented
to new developers. It must be presented in a manner that increases the
awareness of the developer so that he able to deploy his application
in a safe manner. This means that security needs to be taught from the
beginning rather than as a footnote, especially on sites where
authoritative teaching is given ( such as PHP.net ). - nabiy
If somebody doesn't know that security considerations are a core part
of writing *any* software, they probably aren't that experienced of a
developer yet. However, it might be a Very Good Idea(TM) to make a
mini-security subsection in the tutorial/"Getting Started" section, for
readers who skip over section IV.
FWIW, The manual is arranged as follows:
-----
Preface
I. Getting Started
II. Installation and Configuration
III. Language Reference
IV. Security
V. Features
VI. Function Reference
VII. PHP and Zend Engine Internals
VIII. FAQ: Frequently Asked Questions
IX. Appendixes
----
Note that Security is introduced just after the context of "how the
language works"/"Language Reference" (so users can understand the
security issues) and before "What the Language can do"/"Features".
-Ronabop
--
4245 NE Alberta Ct.
Portland, OR 97218
503-282-1370