Quote:
|
Originally Posted by Hunch
I think it's a good idea to consider all code, especially code sitting under a web server, to be inherently insecure. Would I write a fairly low risk e-shop in PHP - yeah probably. Would I use PHP for a banking site? Fuck no.
|
Why is PHP insecure then? It really does annoy me how most people are willing to label PHP as insecure, but are not kind enough to explain why? How long does something have to be open source, stable, and free of major bugs or exploits for it to be considered secure? It was created in 1994, and released under a public licence in 1995 - is nearly 13 years of scrutiny, and 14 years of development, really not enough? PHP has even fought off competition from Microsoft ASP, even though that was developed by a monolithic company with unlimited resources. A real David and Goliath moment in the history of web development there.
I have been tinkering with PHP for over 9 years now, initially it was just to make use of includes, as I had been using SSI (.shtml), and also frames before that. From there on I explored various other time saving features that a programming language offers for making use of reusable code, and progressed on into playing with MySQL, my first experience with a database that wasn't MS Access.
At the time of discovering PHP I was about 13 years old. PHP was an ideal stomping ground for me to learn about programming - as it will still run even if your code is a load of shit! Since the more recent releases of PHP4 and 5 though, it has consciously been developed to move away from that image, by introducing stricter syntax and more powerful error reporting to aid developers. It also allows for more serious developers to totally separate the presentation and application layers, and has also evolved into becoming an object orientated programming language. You can even create cross platform desktop applications using PHP-GTK, though I haven't seen any open source desktop applications - but to be fair I haven't really looked into it!
Sure, there have been awful abominations of applications released using PHP that have had histories of being hacked regularly. Namely various releases of PHP Nuke. These exploits are purely down to the developers of these applications not writing secure code. You put shit in, you are going to get shit out. If there is a flaw in your logic, you are going to get fucked over regardless of your choice of programming language. There is no silver bullet, so I think it is about time we stopped blaming the PHP development team for our own short comings, and time to start looking closer to home at our own coding.
PHP is clearly a victim to its own success. Will it ever be trusted? I do hope so, as I have 7 php books on my shelf, which I have read several times, and a Zend certification examination pencilled in for this year!