Re: PHP security (or the lack thereof)



On Jun 21, 2006, at 4:52 PM, nabiy@xxxxxxxxxxx wrote:
Trying to make the language 'safe' won't fix it because the language is not the problem. The real problem is the way PHP is presented to most new developers.
PHP has been introduced as a tool for the web developer. As a language its goal is "to allow web developers to write dynamically generated pages quickly." ( http://www.php.net/manual/en/faq.general.php ).

Did you read Section IV of that same manual? I remember it quite well, having wrote some portions of it.

" PHP is a powerful language and the interpreter, whether included in a web server as a module or executed as a separate CGI binary, is able to access files, execute commands and open network connections on the server. These properties make anything run on a web server insecure by default."
...
"The configuration flexibility of PHP is equally rivalled by the code flexibility. PHP can be used to build complete server applications, with all the power of a shell user, or it can be used for simple server-side includes with little risk in a tightly controlled environment. How you build that environment, and how secure it is, is largely up to the PHP developer."

From:
<http://www.php.net/manual/en/security.intro.php>

The focus then is to enable the web developer by giving him the tools he needs to create dynamic content, with as little hassle as possible. The web developer need only read a short tutorial ( http://www.php.net/manual/en/tutorial.php ) and he is ready to read, understand and implement the ideas presented in the various example scripts on PHP.net. Unfortunately this situation leaves the web developer uninformed and unprepared to face the hostile environment that is the net.

You may be making some erroneous assumptions about who, or what, PHP quantifies a "web developer" as. As the manual notes, PHP scales, security wide, from extremely rigid to extremely flexible, as needed. It is simultaneously being used as a multi-million-users piece of core software at sites such as Yahoo! and wikipedia, but it can also be used as a mail form processor at "Joe's bait and tackle". I don't think somebody who would ever consider the security section in the primary online manual as a "footnote" as having enough experience to call themselves a developer.

the only real solution is to change the way the language is presented to new developers. It must be presented in a manner that increases the awareness of the developer so that he able to deploy his application in a safe manner. This means that security needs to be taught from the beginning rather than as a footnote, especially on sites where authoritative teaching is given ( such as PHP.net ). - nabiy

If somebody doesn't know that security considerations are a core part of writing *any* software, they probably aren't that experienced of a developer yet. However, it might be a Very Good Idea(TM) to make a mini-security subsection in the tutorial/"Getting Started" section, for readers who skip over section IV.

FWIW, The manual is arranged as follows:
-----
Preface
I. Getting Started
II. Installation and Configuration
III. Language Reference
IV. Security
V. Features
VI. Function Reference
VII. PHP and Zend Engine Internals
VIII. FAQ: Frequently Asked Questions
IX. Appendixes
----

Note that Security is introduced just after the context of "how the language works"/"Language Reference" (so users can understand the security issues) and before "What the Language can do"/"Features".

-Ronabop
--
4245 NE Alberta Ct.
Portland, OR 97218
503-282-1370