Re: Re: PHP security (or the lack thereof)

[nabiy () hotmail com]

> You may be making some erroneous assumptions about who, or what, PHP 
> quantifies a "web developer"  as. As the manual notes, PHP scales, 
> security wide, from extremely rigid to extremely flexible, as needed. 
> It is simultaneously being used as a multi-million-users piece of core 
> software at sites such as Yahoo! and wikipedia, but it can also be used 
> as a mail form processor at "Joe's bait and tackle". I don't think 
> somebody who would ever consider the security section in the primary 
> online manual as a "footnote" as having enough experience to call 
> themselves a developer.

Highly skilled experienced developers are not designing the vulnerable software in question.  It is not the 
multi-million-user applications (such as yahoo or wikipedia) that we need to worry about.  We need to worry about the 
new developers who do not understand the implications of what they are coding. We need to worry about the 
fifteen-year-old kid who contributes to PHPBB and projects like it so he can learn how to code.  We also need to worry 
about the web developer who deploys these applications, unknowingly trusting the fifteen-year-old kid's software 
because he doesn’t have the experience or the time to develop a solution himself.  When talking about PHP and the high 
rate of vulnerabilities, these are the people we are talking about.

This is not just PHP.net's problem. This is a community problem. Experienced developers are writing tutorials without 
regard to security.  Here is a good example of what I am talking about from freewebmasterhelp.com (the third result 
returned by google - http://www.google.com/search?q=php+tutorial ):.

<?
$username="username";
$password="password";
$database="your_database";

$first=$_POST['first'];
$last=$_POST['last'];
$phone=$_POST['phone'];
$mobile=$_POST['mobile'];
$fax=$_POST['fax'];
$email=$_POST['email'];
$web=$_POST['web'];

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO contacts VALUES ('','$first','$last','$phone','$mobile','$fax','$email','$web')";
mysql_query($query);

mysql_close();
?>
I do not need to iterate through the security problems with the above script. We are showing new developers how to get 
input and insert data into mysql but we do not show them how or why they need to validate that input.  This is the 
reason for the high rate of vulnerabilities in PHP software. 

This problem is widespread, any tutorial you find likely contributes to this problem. Even PHP.net is guilty of this. 
In PHP.net’s tutorial you introduce a simple HTML form and print the data from that form by passing the data unfiltered 
back to the browser (http://www.php.net/manual/en/tutorial.forms.php ). It would be much better imho to teach security 
from the beginning and introduce the idea of filtering the data at that point.  

The problem is the way the community presents PHP. It will take a community effort to fix it. - nabiy