[freelancr]

Quote:

Originally Posted by Hunch

I think it's a good idea to consider all code, especially code sitting under a web server, to be inherently insecure. Would I write a fairly low risk e-shop in PHP - yeah probably. Would I use PHP for a banking site? Fuck no.

Why is PHP insecure then? It really does annoy me how most people are willing to label PHP as insecure, but are not kind enough to explain why? How long does something have to be open source, stable, and free of major bugs or exploits for it to be considered secure? It was created in 1994, and released under a public licence in 1995 - is nearly 13 years of scrutiny, and 14 years of development, really not enough? PHP has even fought off competition from Microsoft ASP, even though that was developed by a monolithic company with unlimited resources. A real David and Goliath moment in the history of web development there.

I have been tinkering with PHP for over 9 years now, initially it was just to make use of includes, as I had been using SSI (.shtml), and also frames before that. From there on I explored various other time saving features that a programming language offers for making use of reusable code, and progressed on into playing with MySQL, my first experience with a database that wasn't MS Access.

At the time of discovering PHP I was about 13 years old. PHP was an ideal stomping ground for me to learn about programming - as it will still run even if your code is a load of shit! Since the more recent releases of PHP4 and 5 though, it has consciously been developed to move away from that image, by introducing stricter syntax and more powerful error reporting to aid developers. It also allows for more serious developers to totally separate the presentation and application layers, and has also evolved into becoming an object orientated programming language. You can even create cross platform desktop applications using PHP-GTK, though I haven't seen any open source desktop applications - but to be fair I haven't really looked into it!

Sure, there have been awful abominations of applications released using PHP that have had histories of being hacked regularly. Namely various releases of PHP Nuke. These exploits are purely down to the developers of these applications not writing secure code. You put shit in, you are going to get shit out. If there is a flaw in your logic, you are going to get fucked over regardless of your choice of programming language. There is no silver bullet, so I think it is about time we stopped blaming the PHP development team for our own short comings, and time to start looking closer to home at our own coding.

PHP is clearly a victim to its own success. Will it ever be trusted? I do hope so, as I have 7 php books on my shelf, which I have read several times, and a Zend certification examination pencilled in for this year!

[pgo]

Quote:

Originally Posted by cam

Saying 'it would make every PHP based site on the internet completely insecure' is a bit of a stretch though.

Fine, fine.

[haku]

It would make all mine insecure!

[Hunch]

Quote:

Originally Posted by freelancr

Why is PHP insecure then?

Because it's an interpreted language sitting on a public facing server. If the server is compromised, access to the entire functionality of the system is immediate and does not require reverse engineering.

Uncompiled, interpreted code in any form is much more vulnerable to injection/execution attacks and exploits generally require a much lower level of knowledge or expertise.

Sorry if that's brief - written in 30 seconds on the way to a meeting.

[pgo]

Quote:

Originally Posted by haku

It would make all mine insecure!

That's just because you're a shit programmer.

[haku]

Ouch

...not far off the truth though

[pgo]

Same here, unfortunately.

[freelancr]

Quote:

Originally Posted by Hunch

Because it's an interpreted language sitting on a public facing server. If the server is compromised, access to the entire functionality of the system is immediate and does not require reverse engineering.

Uncompiled, interpreted code in any form is much more vulnerable to injection/execution attacks and exploits generally require a much lower level of knowledge or expertise.

Sorry if that's brief - written in 30 seconds on the way to a meeting.

Not quite compiled, but encrypted. Zend Guard - Protect Your IP & Generate More Revenue - Zend.com

But to be honest, if a server is compromised, you could quite possibly be fucked already! Though damage limitation is worth thinking about when choosing a language.

Are we back to security through obscurity again?

[cam]

If you're running a banking website and your server is compromised, you've bigger troubles than someone looking at your source code.

[Hunch]

My apologies - by "server" I was intending to mean web server, not the host itself but I was rushing out of the door so I wasn't very clear. Any exploit, even basic read access to what is under the web tree will start revealing code, database passwords etc. in PHP.

[freelancr]

Quote:

Originally Posted by Hunch

Any exploit, even basic read access to what is under the web tree will start revealing code, database passwords etc. in PHP.

Zend Guard - Protect Your IP & Generate More Revenue - Zend.com

[Cborrow]

You can also compile your code down to byte code and native code

[HaXXor's]

Every non compiled code will always have a breach for some obvious reasons. But i still believe that using a good algorithms encryption code with php can make a web application very secure.

[hobolooter]

As most of the people in here are developers and not hackers you can't argue the security standpoint of PHP. As developers there is little we can do to protect our code and coding practices if the issue is a bug in PHP.

Meaning, you could write an amazingly secure file upload system. It works perfect, it's secure. Until along comes a hacker who has found a vulnerability in the way PHP handles file uploads, he injects some code into an image and next thing you know your entire system is compromised.

Also open source PHP applications are highly insecure. Why do you think Wordpress has so many issues?

[iblastoff]

Quote:

Originally Posted by hobolooter

Also open source PHP applications are highly insecure. Why do you think Wordpress has so many issues?

because its a poorly coded piece of junk who insists on not even moving to php5 because they think it will bring down their userbase. shows you how they approach their code doesnt it! marketing over quality.

[herkalees]

WordPress does suck.

[Hunch]

Quote:

Originally Posted by freelancr

Zend Guard - Protect Your IP & Generate More Revenue - Zend.com

I'm not sure why saying it twice makes any difference.

You went on a bit of a crusade about people suggesting PHP was an insecure language. Buying a separate utility for which encodes PHP into another format is changing the goalposts. That's like me saying "Your house is insecure because it has a flimsy door made of balsa wood" and you saying "no it's not because I could buy an inch thick sheet of steel to put over the top". It's the very fact that as an interpreted language PHP has inherent insecurities, that makes Zend Guard necessary in the first place.

[freelancr]

Quote:

Originally Posted by Hunch

Buying a separate utility for which encodes PHP into another format is changing the goalposts.

I didn't move the goalposts just because you didn't know about Zend Guard, besides there are free alternatives also pointed out in this thread. It provides the solution to the security issue of leaving the source code in a readable format.

So then, why is PHP insecure, you have failed to enlighten me grasshopper!

[hobolooter]

haha if you think php is secure, you have a lot to learn grasshopper.

[Hunch]

Quote:

Originally Posted by freelancr

I didn't move the goalposts just because you didn't know about Zend Guard

Why would you assume that? By all means argue the point, but don't just make stuff up. I might not know much about many things, but I was programming before you were born, grasshopper.