PHP

From: David Wheeler (dwheeler@ida.org)
Date: 08/08/01 

From: "David Wheeler" <dwheeler@ida.org>
Message-Id: <1010808170628.ZM9453@aphrodite.csed.ida.org>
Date: Wed, 8 Aug 2001 17:06:27 -0400
To: secprog@securityfocus.com
Subject: PHP

Ben Ford said:
>Don't call it a weakness of the language, call it by its true name:
> Lazy Programming.

If this was a common problem in other languages, I might agree with you.
But it's not. Essentially all other computer languages do _NOT_ let
attackers set the state of arbitrary program variables to arbitrary
values, and then require programmers to constantly reset
values if they'd like to prevent attackers from controlling them.

I'm not saying that PHP is some horrible, unfixable language.
I've posted to PHP-DEV a relatively simple set of changes that would
make it possible to eliminate the problem, and others have proposed
other approaches. And those who can control their PHP configuration can
obviously do so and eliminate the problem right now for their applications.

Yes, you can write secure applications in PHP. But it requires
herculean effort. It's "obvious" when the application is small
that some variable needs to be unset, that's true, assuming you know to look.
But once you call functions, you have to have global knowledge of all
global values that the function uses, including the complete transitive
closure of all functions it calls directly & indirectly -- and that INCLUDES
the implementation of the library functions you call. And you have to
redo the analysis when you use a new version of PHP. You could argue that
all PHP developers do this... but I wouldn't believe you.

It's certainly true that all languages have "gotchas".
This one is larger than most (in my opinion), though. And we should be
striving in our computer languages to make it easy, not hard, to write
secure programs.

If some application can be used securely in theory, but its user interface
is so hard to use that it cannot PRACTICALLY be used securely,
then it's still insecure. I argue that the same is true
for programming languages.

Relevant Pages

  • Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
    ... _Programming Languages: Concepts and Paradigms_ he defines some of the paradigms of programming languages; on pp 12-13, ... This book is classic but doesn't list Perl or PHP or Java -- but the concepts are the same. ...
    (Bugtraq)
  • Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
    ... _Programming Languages: Concepts and Paradigms_ he defines some of the paradigms of programming languages; on pp 12-13, ... This book is classic (for those who don't know this is the 'S' in RSA, co-author of the famous 'Dragon Book' on compiler design etc.) but doesn't list Perl or PHP or Java -- but the concepts are the same. ...
    (Bugtraq)
  • Re: Is Prolog good for AI? (was: Minsky still posting)
    ... > than a programming language suitable for large scale direct human use. ... but it was Prolog nor AI. ... >> than most other languages. ... PHP because it solves a very specific problem. ...
    (comp.lang.prolog)
  • Re: Php invented by a former DECcie ?
    ... My impression is that software engineering has advances quite a bit ... programming days. ... Dijkstra would have said about these languages as compared to his ... PHP does not even have a goto statement. ...
    (comp.os.vms)
  • RE: PHP as a secure language? PHP worms? [was: Re: new linux malware]
    ... Let me make my position clear; the goals of secure coding and secure ... security" in either our code or the languages it's written in. ... PHP as a secure language? ...
    (Bugtraq)