Solved

Raw PHP Security Holes

Posted on 2013-05-16
4
289 Views
Last Modified: 2013-07-05
I started a PHP program seven years ago and it has grown extensively.  While being evaluated by a co-worker who is a full-time programmer, he made the comment:

"It is written in "raw" PHP. Raw PHP is known for security holes that other web frameworks mitigate without programmer intervention (SQL injection especially)."

My question, is his first statement correct -- "Is PHP known for security holes?"

My second question, what are some bad practices that would make my code vulnerable to SQL injection?

Thanks.
0
Comment
Question by:pkonstan1
4 Comments
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 175 total points
ID: 39171451
You're asking the wrong question.  Instead of what are bad practices, ask about best practices.

There are too many things to get into for a 215 point question - this is more like a Master's Degree in computer science.  But I can offer some learning resources about PHP weaknesses and commonly exploited vulnerabilities.  These articles tell some of the story.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_7317-Register-Globals-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

These links are worth studying, even if they are old.
http://www.sitepoint.com/php-security-blunders/
http://phpsec.org/projects/guide/
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

And PHP has this for you.
http://php.net/manual/en/security.php

Executive summary, Accept Only Known Good Values, Assume Nothing, All Data from External Sources is Tainted and an Attack Vector.
0
 

Author Comment

by:pkonstan1
ID: 39171615
Ray, thanks for the answer.

If you don't mind, a follow-up.  

This co-worker does almost all of his work in Java.  Does your executive summary apply to Java as well?  

Is their an equivalent of raw Java that is just as vulnerable?  Or is Java by nature more secure?

Thanks.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 20 total points
ID: 39171709
I have been working in asp for too long and just making the hop to other languages like php.  It is not going to matter if you use "raw" php or asp(x) or another language, if you have not accounted for @Ray_Paseur's summary, you are open for trouble.

I see a lot of folks using frameworks like CodeIgniter, Cake, Symfony etc.  I have always liked "raw" programming without a framework but am taking on a project using Symfony.  These frameworks are supposed to take care of security issues along with making things "easy".  

However, if you look at their version control notes, there are plenty of security fix's.   I think if you are the type of person that just wants to worry about making something work that is good. I find it hard to take on a framework at face value because 10 years ago I had a "learning" experience and now I am very carful about letting data in or to be displayed.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 20 total points
ID: 39172197
I agree with Ray and padas.  Some of the more popular CMS's like Wordpress and Joomla have security problems in part because they are so popular which makes them bigger targets.  I think your programmer is just being defensive.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question