Jan 13 2007
Is PHP Secure?
PHP has to be one of the easiest programming languages to learn for building dynamic web sites. In less than a week of study, you can be adding PHP code to your web sites and saving form data to a database instead of having it e-mailed to you. The only other language that is just as easy to learn is VBScript for ASP programming (I should note that I’m not talking about ASP.NET programming which is a bit more involved!).
The problem with the ease of learning PHP is that its also easy to write code that is not secure and can be exploited by hackers. This isn’t just a challenge for novices, experienced programmers also can inadvertently write dangerous code.
Apart from coding mistakes, bugs are discovered over time in PHP itself. One would think that once they are found, its developers would move quickly to fix them. According to Stefan Esser, this is not the case. Esser runs the PHP Security Blog and also the Hardened-PHP Project Forum.
He made a post to his blog last month which angered many in the PHP community. In it, Esser announced that he resigned from the PHP Security Response Team which was originally his idea to create several years ago. The main reason he quit was that PHP Group constantly blocked his attempts to improve the security of PHP. The Group preferred blaming the developer for any security issues that occur with PHP.
Esser, while still having faith in the potential of PHP, developed Suhosin. You can find it on the Hardened-PHP Project site. Briefly, to plagiarize his site,
Suhosin is an advanced protection system for PHP installations. It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself.
Its highly recommended that you use Suhosin for any web site that is exposed to the Internet. You probably don’t have to worry much if your site is just an intranet. The National Institute of Standards and Technology (NIST) reported that PHP applications were involved in 43% of security problems in 2006. In 2005, PHP accounted for 29% of the security issues. With the growing numbers of users and applications in PHP, I expect the numbers to be even higher in 2007. All the more reason to take a closer at Suhosin.