Hardened PHP

Frank Kreuzbach writes "Yesterday the Hardened-PHP Project has announced its existence on the PHP-general mailinglist. It is the first public patch for PHP which adds security hardening features. It is meant as a proactive approach to protect servers against known and unknown weaknesses within PHP scripts or the engine itself. It enforces restrictions on include statements, adds canary protection to allocated memory and other internal structures and protects against internal format string vulnerabilities. It has syslog support and logs every attack together with the originating ip."

Re:Phew!

[CTho9305]

It's a way to protect against buffer overflows. You put some known data on the stack, and before returning from each function call, make sure that data hasn't been changed. Most buffer overflow exploits work by overwriting part fo the stack, and canary protection will detect that the stack has been changed, so the exploit code will not run.

Other PHP Hardening Sites

[Dozix007]

I run http://www.uberhacker.com . This site is dedicated to secure PHP programming. It is better to program secure rather than limit coding abilities. Secure programming allows for a wider range of scripts and security.

Re:Already in use

[abulafia]

Weird. I do high-volume sites for a living, and mod_perl rocks. I sometimes fall back to coding something in C when it is called millions of times a day, but in general, mod_perl makes getting close to the iron really easy.

shrugs.

Hell, people probably can write fast software in PHP... I can't stand the language, myself, so I've never bothered to learn optimization tricks. Mod_perl kicks ass... as Slashdot knows, not to mention Amazon...

Can a PHP devotee who also knows web development from a mod_perl standpoint explain why you like PHP so much? I'm honestly curious. I've modified other people's apps, and find the language both cumbersome to use for non-trivial things and overly low level, at the same time.

Not likely to get many replies

Not many folks will qualify as knowing both. From my perspective, PHP was stable (MOD_PERL, several years back, was twitchy) and considerably simpler. Remember that to much of the programming world, Perl is weird.

Re:Not quite

[vlad_petric]

Java Server Pages - jsp.

Its advantages: faster (java isn't slow, it has a slow startup, which for a server is hardly a big deal), because the code you write is going to be converted in machine code; scales better (PHP still doesn't provide connection pooling; pconnect doesn't count, btw); more secure (no buffer overflow b/c of java, can use security policies to restrict what your pages are doing)

Its disadvantage: well, you have to learn java. You can't just jump into writing jsp pages, as you'd do with php. But I can equally argue that that's an advantage as well, as it increases the quality of code.

Re:Already in use

[nemesisj]

I'm not extremely familiar with mod_perl, but I do lots of work in PHP.

The reasons I like PHP better than perl for web development is the fact that you can escape in and out of execution (yes, this can be and is often abused) and I like how PHP wraps some of the more unreadable aspects of perl (like extracting arguments, etc) and has nice session support.

Also, PHP seems to have a lot of standard web stuff rolled in by default. I know that you can configure perl to be whatever you want it to be, but back before I had access to my own servers whose environment I could control, this mattered a bit more.

Anyway, just my two cents - it really comes down to personal preference between the two in my opinion - lots of the major disctinctions have gone away in the last couple of years.

Re:Already in use

[BusDriver]

Turck MMCache dev stopped since the lead dev was taken in by Zend. That doesn't mean development has stopped though! New people have taken it over and are slowly coding new stuff up!