[ale] Seven Deadly Sins - PHP

George Carless kafka at antichri.st
Tue Jun 10 21:31:53 EDT 2003 

[sent again, and complete this time.  I hit the wrong key last time. ;p]

A few thoughts.  And note that I am a PHP programmer.

>The PHP part in "Deadly sin No. 4" caught my attention:
>
>"On Toxen's "don'ts" list: Don't use PHP, even though it's convenient."
>
>I've read this list long enough to recognize that Bob Toxen is a pro's
>pro, and when I see statements like that coming from him, I get
>paranoid. I'm a Solaris SA responsible for several webservers, and not
>a programmer by any stretch, but we've web developers that seem to be
>embracing PHP with unbridled passion. As such, I'm beginning to feel
>like I'm sitting on the systems sidelines wondering what the heck is
>going on here? What is it's utility (or fasination?) that seems to make
>this the web dev tool of the year? Questions:
>
>1). is PHP just bad programming practice in general? (and if so, what
>could or should be used instead?)

I don't think so.  It has some holes, but they tend to be spotted and 
addressed fairly quickly.  Is the same true of, oh, VBScript on top of ASP, 
or ColdFusion, or JSP, or even the likes of perl?  I'd say that there're 
always ways of shooting yourself in the foot, of doing things badly.  I 
don't think PHP really makes it especially more difficult, either: cgi 
opens up its own set of problems, for example, and while PHP certainly 
*has* left things open in the past, it's a young language which gets 
updated quickly.  And has many eyes upon it.

>2). what kinds of admin headaches am I opening myself up for, anyway?

This really depends upon how you have things set up.  Set php up properly, 
with things turned off that need to be turned off, and with a careful eye 
on file permissions and the like, you should be okay.  I don't think it's 
useful to tell you "look out for this in particular", since if you're 
running critical systems then you be doing your own due diligence anyhow - 
and there're many resources out there.  Frankly, when people give an 
unqualified statement like "Don't use [x]", even when they're experienced 
and generally knowledgeable, I'm led to question both their premises and 
their biases.

>3). related... what should I be looking for in system and web portal
>logs, especially in terms of attacks?

Again, I don't mean to be rude, but if you don't know this stuff then, 
well, not running PHP isn't really going to help you.  There's no magic 
bullet, and too many exploits happen because of administrators who merely 
believe themselves to be immune because they've taken things *just so far* 
or have followed a few "key rules" without having a sufficient holistic 
understanding of system management.  I had a system administrator who made 
a huge fuss about blocking off ports on the firewall, not allowing PHP file 
uploads (not from the outside, but within our intranet), and so forth.. and 
then wrote down the root password of one of our servers on my whiteboard to 
help me remember it.

>I guess what I need is a good primer on this stuff, like a 'What Every
>SA Must Know About PHP', if you will.

Nope, you need general documentation and experience on security in general. ;)

>4). any recommedations for a quick, yet thorough, PHP read?

http://www.php.net

>I've also become acutely aware as of late that this stuff seems to be
>very buggy in general, and seems to also be causing headaches for the
>developers in no predictable manner. In short, it likes to crash, and
>I'm being enlisted more and more to assist in running Solaris

I never experience PHP crashes.  Poor code, perhaps, but not anything 
within PHP itself that would lead to a system crash.

>I've been to the PHP website also. The issues people are having with
>this are just short of stunning.

Most visitors to most such sites don't really know what they're talking 
about.  And I'd rather have documented and discussed issues than 
undocumented ones that get brushed under the carpet - which is often, often 
the case with many proprietary (and other) languages.

Incidentally, I've coded PHP, ASP (VBScript and C#), perl, ColdFusion, 
Tango, etc.. and they all have their pros and cons.. and I'd not say any 
was inherently more or less secure than any other (although perl is perhaps 
the easiest to misuse for the beginner).

Cheers,
--George

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list