SecurityFocus Article – PHP apps: Security’s Low-Hanging Fruit

The following column was published on SecurityFocus today:

PHP apps: Security’s Low-Hanging Fruit
by Kelly Martin
published 2007-01-08

PHP has become the most popular application language on the web, but common security mistakes by developers are giving PHP a bad name. Here’s how PHP coding errors have become the new low-hanging fruit for attackers, contributing to the phishing problems on the web.

Thank you for reading this post. You can now Read Comments (2) or Leave A Trackback. Print This Post Print This Post

2 Responses to “SecurityFocus Article – PHP apps: Security’s Low-Hanging Fruit

  • 1
    black touch
    August 25th, 2007 12:38

  • 2
    Catalin Hulea
    November 3rd, 2007 05:25

    Thanks for sharing this link; I wrote a comment there and I’m writing here too:

    Hello, I think this article is awesome. I am myself a PHP programmer and I always try to improve the security of my application; and I am also affected by some of my colleagues who don’t have the same attitude.

    However, I am totally against your presumption that PHP is a non-secure language; on the contrary, it is maybe the most secure on web, and this is maybe also one of the reasons it is so popular.

    Just to mention the fact that “Security” chapter in PHP manual is one of the first that programmers can read; And you don’t find this chapter, dealing things like SQL Injection, file injection, and so on in any other programming language manual; that proves PHP was concerning with security since the very beginning.

    ASP (the old one, native for IIS) didn’t even have at it’s time, any function like mysql_escape_string()! If you wanted your application to be secure on ASP, you had to write yourself a function that was supposed to search and replace weird characters in strings in order to avoid SQL Injection. MOST of the other languages for web don’t have AT THIS TIME functions or methods for escaping characters in XML, HTML or javascript! But PHP was designed since the very beginning with functions such as htmlspecialchars() or addslashes().

    So I think PHP by itself is the most secure on web, but I tell you from experience you are totally right when you speak about inexperienced programmers who don’t know PHP but they try to use it and they introduce bugs in their applications. On the other hand, these programmers would migrate to other language as well, if PHP were not the most popular, and they would damage the reputation of that “other” language too.

    In the end, congratulations for this article, it’s a very good one and I have the same opinions as you do.

Subscribe without commenting

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge