Re: Re: PHP security (or the lack thereof)
> You may be making some erroneous assumptions about who, or what, PHP
> quantifies a "web developer" as. As the manual notes, PHP scales,
> security wide, from extremely rigid to extremely flexible, as needed.
> It is simultaneously being used as a multi-million-users piece of core
> software at sites such as Yahoo! and wikipedia, but it can also be used
> as a mail form processor at "Joe's bait and tackle". I don't think
> somebody who would ever consider the security section in the primary
> online manual as a "footnote" as having enough experience to call
> themselves a developer.
Highly skilled experienced developers are not designing the vulnerable software
in question. It is not the multi-million-user applications (such as yahoo or
wikipedia) that we need to worry about. We need to worry about the new
developers who do not understand the implications of what they are coding. We
need to worry about the fifteen-year-old kid who contributes to PHPBB and
projects like it so he can learn how to code. We also need to worry about the
web developer who deploys these applications, unknowingly trusting the
fifteen-year-old kid's software because he doesn?t have the experience or the
time to develop a solution himself. When talking about PHP and the high rate
of vulnerabilities, these are the people we are talking about.
This is not just PHP.net's problem. This is a community problem. Experienced
developers are writing tutorials without regard to security. Here is a good
example of what I am talking about from freewebmasterhelp.com (the third result
returned by google - http://www.google.com/search?q=php+tutorial ):.
<?
$username="username";
$password="password";
$database="your_database";
$first=$_POST['first'];
$last=$_POST['last'];
$phone=$_POST['phone'];
$mobile=$_POST['mobile'];
$fax=$_POST['fax'];
$email=$_POST['email'];
$web=$_POST['web'];
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO contacts VALUES
('','$first','$last','$phone','$mobile','$fax','$email','$web')";
mysql_query($query);
mysql_close();
?>
I do not need to iterate through the security problems with the above script.
We are showing new developers how to get input and insert data into mysql but
we do not show them how or why they need to validate that input. This is the
reason for the high rate of vulnerabilities in PHP software.
This problem is widespread, any tutorial you find likely contributes to this
problem. Even PHP.net is guilty of this. In PHP.net?s tutorial you introduce a
simple HTML form and print the data from that form by passing the data
unfiltered back to the browser (http://www.php.net/manual/en/tutorial.forms.php
). It would be much better imho to teach security from the beginning and
introduce the idea of filtering the data at that point.
The problem is the way the community presents PHP. It will take a community
effort to fix it. - nabiy