Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Application Insecurity - PHP or Devs Fault?

Posted by Cliff on from the and-what-would-be-the-best-way-to-fix-the-problem dept.

somersault asks: "There have recently been a lot of people making jokes at the expense of PHP, but how many common security flaws in PHP are the fault of the language, and how many the fault of the developer? A recent Security Focus article (via the Register) has a brief discussion which suggests that PHP is no less secure than any other scripting language, and that it is the users of the language themselves who need to be educated. The other side of the story is that the developers of PHP should work on tightening up the language to make it more 'idiot proof' by default. Should the team developing PHP take a more active role in controlling the use of their language? What will it take to ensure that users of the language learn to use it securely, short of defacing every vulnerable website out there?"

4 of 200 comments (clear)

  1. You are all lazy programmers! by Karaman · · Score: 0, Troll

    You are too lazy to create secure code, so you blame PHP, LOL :)

    I have been using PHP for 5 years now and I always checked
    how my code worked, whether it was safe enough, etc. etc. ....
    I dont rely on others to do my job!

    Well, I dont say there are no stupidities or bugs or whatever in PHP,
    but when you write insecure code, you should not blame the language
    you are writing in!

    Blame yourselves that you have not read enough, that you have not
    tested enough, or that you are not lucky enough!
    Then sit on your butt and rewrite those unsafe lines of code!

    p.s. If you feel you don't have the ability to write good PHP code, blame yourselves again!

    --
    sex is better than war!
  2. Re:Tool safety by ChengWah · · Score: 0, Troll

    Just like it's vehicle manufacturers who kill and maim on the roads. If you can't or shouldn't drive then don't. Same applies to programming. Many programmers are optimists - poor misguided fools. If you write software, try to break it before you release it, or don't bother writing it in the first place.

  3. Re:it really is the dev's fault by ILuvRamen · · Score: 0, Troll

    oh sorry, I meant to type out my entire security policy for PHP but it was a bit longer than that. Shut up, it was an example

    --
    Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
  4. Re:So old... by LizardKing · · Score: 0, Troll

    Quit with this "no such thing as a bad programming language, there are bad developers" bullshit. If a language encourages bad practices with an inconsistent, badly designed library and dubious features, then it is the fault of the language. Add in the poor tutorials (including most of those in printed books and on Zend's own website), and you've got a bad language made worse by ignorance. You ask where the articles are about good PHP apps and programmers. They don't exist, as most large scale web apps are written in Java - see this UKUUG paper for some reasons why. PHP lowers the barrier for getting a simple web app up and running, but it simply should not be used for anything large scale. The language is poorly designed, and poorly implemented (check out the number of vulnerabilities on bug tracking sites that are attributable to PHP itself rather than just the apps written with it).