PHP and Security

August 8th, 2008 No Comments

I had this discussion on Twitter with Mike Schinkel regarding PHP and security. The discussion started after a website published that CMS-applications in PHP was on the list of unsecure software. Since Twitter is a tad bit restricted when it comes to space, I decided to blog about the subject.

By browsing the web I feel that PHP unfairly has gotten a bad reputation when it comes to security. Some people do believe that ASP.net and other langauges used to create applications for the web is more secure. I don’t think that is the case.

I do believe that there might be more insecure PHP applications out there than what is the case for other languages. There are some reasons for this:

  • PHP is quite an easy language to learn, and a good start for someone who wants to start being a developer.
  • There aren’t that many development tools out there that warns about security risks.
  • ASP.net developers often comes from techinical backgrounds – either from universitylevel or from other educational level.
  • Security in PHP hasn’t been high priority in the PHP community, but it is becoming more and more important.

If you want to do ASP.net, and you want to do it properly you have to download Visual Studio Express or buy the Visual Studio software – which you can get for as “low” as $700. I have coded both, and I do believe that PHP is a better language than VB in ASP.net and also C#, although the later feels much more like PHP.

But back to the matter. Because PHP is a better language to learn, easier to get help and so on, you get a lot of junior developers sitting in their bedrooms writing PHP applications that they push on the web. Some are more secure than others. What’s important for the application is that it gets the job done. Another thing when it comes to learn PHP is that those books I’ve read does not focus that much on security. And when it comes to security it is always in the end of the book.

Mike Schinkel writes in his last Twitter post with me: Some people focus on creation. Other’s focus on protetcion. Shame more people don’t appretiate differences in others.

I do respect and agree partly with this view.

One quick note: I shall not state here that thought of security in my first applications. I to have done my share of mistakes when it comes to getting my web application as secure as possible. It is when you see that the database is empty, or when your website is hacked you know that your application is as insecure as it can be.

If you are interested in PHP and security here are some links to websites you can visit:
PHP Security Guide

Top 7 Security blunders

Hardened PHP

Books:

Essential-PHP-Security

Web Application Hackers Handbook

php|architects Guide PHP Security

Posted in Uncategorized |
«
»
You can leave a response, or trackback from your own site.

Leave a Reply

Subscribe to RSS Feed Follow me on Twitter!