Slashdot Mirror


'Month of PHP Security' Finds 60 Bugs

darthcamaro writes "More than 60 bugs were reported in PHP over the last 30 days by the Month of PHP Security project. Most of the flaws, however, are ones that developers themselves can protect against with proper coding practices, according to Andi Gutmans, CEO of commercial PHP vendor Zend. He argues that PHP security is a matter of setting expectations. In his view, PHP — like all development languages — is only as secure as the code developers write with it. 'People should not expect PHP to be able to enforce security boundaries on a developer [who] has permissions to run custom PHP code,' Gutmans said. 'It's an inherently flawed scenario — and it's the wrong layer to protect in. People must rely on properly configured OS-level permissions for securing against untrusted developers.' Gutmans also praised the MOPS effort for elevating the profile of PHP security throughout the community, and for responsibly alerting the PHP project first with the bugs they found."

6 of 120 comments (clear)

  1. Re:One of the biggest problems is configurability by MightyMartian · · Score: 4, Insightful

    The configuration file is a problem, to be sure, but the real problem is their insane library which seems to fit no particular convention. It's goddamned madness and makes coding an incredibly painful experience as you constantly run back and forth to the online manual to get the exact name of the function. Out of that comes the constant deprecating and synonyms. I find PHP a painful, awkward language to code in, but because I do so much work supporting legacy stuff, I'm stuck with it.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  2. Doing something about it. by AndGodSed · · Score: 4, Insightful

    At least they are working on finding bugs. The fact that they _found_ bugs shows that they are doing a thorough job.

    This is A GOOD THING (TM)

  3. Re:One of the biggest problems is configurability by 0racle · · Score: 4, Insightful

    I wouldn't say that Perl or Python suffer from what PHP suffers from.

    --
    "I use a Mac because I'm just better than you are."
  4. Re:One of the biggest problems is configurability by mcrbids · · Score: 5, Insightful

    I use PHP and I love it as a language. It's powerful, stable, and lets me get lots of work done quickly.

    That said, you hit on the two biggest annoyances I have with PHP:

    1) Argument order: is it myfunction($haystack, $needle) or myfunction($needle, $haystack)? There's no rhyme or reason that I can consider, mostly just random stuff.

    2) Function names: Is it going to be isinteger() or is_integer()? And even within a set of otherwise closely rlated functions, while php has is_integer(), is_set() is actually isset(). Who thought this was a good idea?

    Again, I don't want to knock PHP too badly, it's a lean mean workhorse of a language, and its many strengths vastly outweigh its weaknesses. But couldn't they pick a convention and move to it?

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. Re:Untrusted developers by Hatta · · Score: 4, Insightful

    What if that untrusted coder is not an employee, but a customer? If you're hosting websites, and your client wants to write custom PHP, you need to rely on your OS features to ensure that his insecure code can't damage other users.

    --
    Give me Classic Slashdot or give me death!
  6. Re:One of the biggest problems is configurability by Mr.+Shiny+And+New · · Score: 4, Insightful

    PHP's strength: ubiquity. PHP is installed everywhere, so if you are intending for your application to be deployed on diverse machines with low-cost hosting it is a good bet. I like to code in Java but for my home website it's all PHP because that comes free with my hosting provider, whereas better environments are more complicated to set up or more expensive.