[ale] Seven Deadly Sins - PHP

Christopher Bergeron christopher at bergeron.com
Tue Jun 10 21:45:13 EDT 2003


I'm going to have to agree here.  I code in PHP (for a financial 
institution) _AND_ I've hired Bob in the past to design me a firewall / 
VPN box.  I'm not doubting his experience; however, I think it's being 
portrayed as much more thorough than it actually is.

There does exist a lot of potential for "issues" with PHP usage, 
however, a safe configuration (turning GLOBALs OFF, escaping ANY input 
that is entered by an untrusted (default) user on a form, etc. - very 
BASIC security IMHO), is quite safe.  Granted, there are MANY sites that 
don't take these things into consideration, which is probably why Bob 
chose to rank it as such a high security issue.  However, using PHP 
safely and listening to security warnings about it put into a realm that 
is not unlike using anything equivalent (Perl, SSI, etc).  The fact that 
PHP is fastly becoming the dominant web-scripting/programming language 
right now puts it into the crosshairs of many security people 
(de-facto).  However, when compared to equivalent technologies (ASP), 
PHP is FAR safer.

I can't say his #4 ranking is necessarily _wrong_, but it certainly 
shouldn't be used as a reason to NOT use PHP.

Regards,
CB




Please bear in mind that this is my opinion, and nothing else...

Regards,
CB



George Carless wrote:

> A few thoughts.  And note that I am a PHP programmer.
>
>> The PHP part in "Deadly sin No. 4" caught my attention:
>>
>> "On Toxen's "don'ts" list: Don't use PHP, even though it's convenient."
>>
>> I've read this list long enough to recognize that Bob Toxen is a pro's
>> pro, and when I see statements like that coming from him, I get
>> paranoid. I'm a Solaris SA responsible for several webservers, and not
>> a programmer by any stretch, but we've web developers that seem to be
>> embracing PHP with unbridled passion. As such, I'm beginning to feel
>> like I'm sitting on the systems sidelines wondering what the heck is
>> going on here? What is it's utility (or fasination?) that seems to make
>> this the web dev tool of the year? Questions:
>>
>> 1). is PHP just bad programming practice in general? (and if so, what
>> could or should be used instead?)
>
>
> I don't think so.  It has some holes, but they tend to be spotted and 
> addressed fairly quickly.  Is the same true of, oh, VBScript on top of 
> ASP, or ColdFusion, or JSP, or even the likes of perl?  I'd say that 
> there're always ways of shooting yourself in the foot, of doing things 
> badly.  I don't think PHP really makes it especially more difficult, 
> either: cgi opens up its own set of problems, for example, and while 
> PHP certainly *has* left things open in the past, it's a young 
> language which gets updated quickly.  And has many eyes upon it.
>
>> 2). what kinds of admin headaches am I opening myself up for, anyway?
>
>
> This really depends upon how you have things set up.  Set php up 
> properly, with things turned off that need to be turned off, and with 
> a careful eye on file permissions
>
>> 3). related... what should I be looking for in system and web portal
>> logs, especially in terms of attacks?
>>
>> I guess what I need is a good primer on this stuff, like a 'What Every
>> SA Must Know About PHP', if you will.
>>
>> 4). any recommedations for a quick, yet thorough, PHP read?
>>
>> I've also become acutely aware as of late that this stuff seems to be
>> very buggy in general, and seems to also be causing headaches for the
>> developers in no predictable manner. In short, it likes to crash, and
>> I'm being enlisted more and more to assist in running Solaris
>> diagnostics on this stuff (for what good it seems to be doing so far),
>> and in playing with ulimits, and frankly, I don't think anyone has a
>> clue (and I know I don't).
>>
>> 5). soliciting anybody elses experience(s)?
>> 6). open for anything else....
>>
>> I've been to the PHP website also. The issues people are having with
>> this are just short of stunning.
>>
>> Thanks.
>> fgz
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
>


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list