Secure Coding mailing list archives
Programming languages -- PHP
From: "David A. Wheeler" <dwheeler () ida org>
Date: Wed, 21 Jul 2004 17:33:23 +0100
"Kenneth R. van Wyk" <[EMAIL PROTECTED]> said: It appears as though we may well have discovered software security's third rail over the last couple of weeks in the discussions regarding programming language choices. I don't mean to fan those flames by any means, trust me. However, I noticed several announcements for PHP version 5 (see http://www.zend.com/ for the official announcement and press release) over the weekend. PHP has long been the whipping boy of secure programming, and version 5 appears to add a great deal of new functionality to this popular language. Secure or not, there's a lot of PHP users and coders out there, and this added complexity certainly enhances its "trinity of trouble" profile (with respect to Gary McGraw's "Exploiting Software"). Along those lines, there's a good article at http://otn.oracle.com/pub/articles/hull_asp.html that compares PHP5 against ASP.NET, including the security features of each. Generic "My language is better than your language" arguments are generally very dull, and not englightening. But a variation _is_ useful. I _do_ find descriptions of "in language A, beware of X, Y, and Z" very helpful. They help users of the language (to avoid them), and they also help language implementors (who can add warnings, or even change the language to fix the problem). They help those who select languages - if a language has way too many "sharp edges" perhaps another language should be chosen instead! They also help future language designers, so they'll know what to avoid. ALL languages have problem areas; accepting that, and learning from them, is the wisest course. We do have to work to stay current, though. McGraw's "Exploiting Software" correctly chastizes old PHP for letting attackers control remote variables. That _was_ a serious issue. However, this PHP problem had already been reported and fixed long, long before his book went to print. It's too bad that, IIRC, McGraw's book doesn't note that. I don't know what the lead time was on his book; that may not have been doable. My point isn't really McGraw's book, my point is just that we need to note security-relevant changes to languages as they occur. To be honest, the PHP developers did something that most language designers have been unwilling to do: they changed the language, in fundamental ways, so that a common security flaw could no longer be exploited. Basically, attackers no longer control global variables by default. Let's give them credit for that! Details at: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html Historically, PHP hasn't had a wonderful track record. On the other hand, appears they're taking security much more seriously, and have redesigned to make that happen. Chastise people when they deserve it, but let's also give kudos to anyone who takes security seriously & is willing to make real changes to improve the infrastructure. --- David A. Wheeler
Current thread:
- Programming languages -- PHP David A. Wheeler (Jul 21)