Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Application Insecurity - PHP or Devs Fault?

Posted by Cliff on from the and-what-would-be-the-best-way-to-fix-the-problem dept.

somersault asks: "There have recently been a lot of people making jokes at the expense of PHP, but how many common security flaws in PHP are the fault of the language, and how many the fault of the developer? A recent Security Focus article (via the Register) has a brief discussion which suggests that PHP is no less secure than any other scripting language, and that it is the users of the language themselves who need to be educated. The other side of the story is that the developers of PHP should work on tightening up the language to make it more 'idiot proof' by default. Should the team developing PHP take a more active role in controlling the use of their language? What will it take to ensure that users of the language learn to use it securely, short of defacing every vulnerable website out there?"

2 of 200 comments (clear)

  1. it really is the dev's fault by ILuvRamen · · Score: 0, Flamebait

    If you leave it wide open for SQL injections when you could just filter out semicolons is absolutely the developer's fault. The code is gone by the time the page gets to the user for God's sake, it's not a horribly insecure language if you know how to use it. Languages aren't there to babysit someone who knows nothing about proper security, they're there to do the maximum amount of things. Adding securit restrictions would just piss people off and get in the way of people who want to do things other ways

    --
    Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
  2. PHP == fucked by NotZed · · Score: 1, Flamebait

    The language is largely at fault. Sure the PHP developer space is filled with 'ASP-level' programmers - but at the end of the day, there's only so much you can blame on the monkey's cutting code. PHP is an awful language, doesn't scale, doesn't promote anything remotely 'good', but still does the job. It isn't alone.

    It isn't an entirely bad thing either. At the end of the day people need software that does something. Security is for the most part not a priority - and why should it be really? Only because of arseholes is it even be an issue.

    But anyway, to cut it short - avoid PHP. The security issues are not even the start of how fucked a language it is. I'd much much rather code in C (C, not C++) than PHP any day (and yes, I've written production software in both). It doesn't have any more security issues - yet the ones it has are more obvious - it is orders of magnitude more scalable and performant, and it doesn't have any of the limitations.

    --
    _ // `Thinking is an exercise to which all too few brains
    \\/ are accustomed' - First Lensman