SecurityFocus Article - PHP apps: Security’s Low-Hanging Fruit
The following column was published on SecurityFocus today:
PHP apps: Security’s Low-Hanging Fruit
by Kelly Martin
published 2007-01-08
PHP has become the most popular application language on the web, but common security mistakes by developers are giving PHP a bad name. Here’s how PHP coding errors have become the new low-hanging fruit for attackers, contributing to the phishing problems on the web.
http://www.securityfocus.com/columnists/427
If you enjoyed this post, make sure you subscribe to my RSS feed!
Thank you for reading this post. You can now Read Comments (2) or Leave A Trackback.
Post Info
This entry was posted on Tuesday, January 9th, 2007 and is filed under Web Applications, Php, Articles.You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.
Previous Post: New reconnaissance tool: 0trace »
Next Post: Penetration Testing Frameworks »
Read More
Related Reading:
Latest Posts:
- Privacy Dilemma: How to Protect Yourself Online
- Solera Networks Deep-Packet Capture Review
- WordPress Exploit Scanner
- Phishing Exposed, Brands Secured
- Scanners: New Nessus Release; New eEye Web Scanner
- Good News from ArcSight and Imperva
- CCTV Security Camera and Surveillance Equipment
- OpenDNS Offers Free Web Content Filtering
- Can I Evade ScanSafe Anywhere+ ?
- Googlehacks and Anti-Googlehacks
August 25th, 2007 12:38
November 3rd, 2007 05:25
Thanks for sharing this link; I wrote a comment there and I’m writing here too:
—————————————–
Hello, I think this article is awesome. I am myself a PHP programmer and I always try to improve the security of my application; and I am also affected by some of my colleagues who don’t have the same attitude.
However, I am totally against your presumption that PHP is a non-secure language; on the contrary, it is maybe the most secure on web, and this is maybe also one of the reasons it is so popular.
Just to mention the fact that “Security” chapter in PHP manual is one of the first that programmers can read; And you don’t find this chapter, dealing things like SQL Injection, file injection, and so on in any other programming language manual; that proves PHP was concerning with security since the very beginning.
ASP (the old one, native for IIS) didn’t even have at it’s time, any function like mysql_escape_string()! If you wanted your application to be secure on ASP, you had to write yourself a function that was supposed to search and replace weird characters in strings in order to avoid SQL Injection. MOST of the other languages for web don’t have AT THIS TIME functions or methods for escaping characters in XML, HTML or javascript! But PHP was designed since the very beginning with functions such as htmlspecialchars() or addslashes().
So I think PHP by itself is the most secure on web, but I tell you from experience you are totally right when you speak about inexperienced programmers who don’t know PHP but they try to use it and they introduce bugs in their applications. On the other hand, these programmers would migrate to other language as well, if PHP were not the most popular, and they would damage the reputation of that “other” language too.
In the end, congratulations for this article, it’s a very good one and I have the same opinions as you do.