Solved

Raw PHP Security Holes

Posted on 2013-05-16
4
290 Views
Last Modified: 2013-07-05
I started a PHP program seven years ago and it has grown extensively.  While being evaluated by a co-worker who is a full-time programmer, he made the comment:

"It is written in "raw" PHP. Raw PHP is known for security holes that other web frameworks mitigate without programmer intervention (SQL injection especially)."

My question, is his first statement correct -- "Is PHP known for security holes?"

My second question, what are some bad practices that would make my code vulnerable to SQL injection?

Thanks.
0
Comment
Question by:pkonstan1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 175 total points
ID: 39171451
You're asking the wrong question.  Instead of what are bad practices, ask about best practices.

There are too many things to get into for a 215 point question - this is more like a Master's Degree in computer science.  But I can offer some learning resources about PHP weaknesses and commonly exploited vulnerabilities.  These articles tell some of the story.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_7317-Register-Globals-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

These links are worth studying, even if they are old.
http://www.sitepoint.com/php-security-blunders/
http://phpsec.org/projects/guide/
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

And PHP has this for you.
http://php.net/manual/en/security.php

Executive summary, Accept Only Known Good Values, Assume Nothing, All Data from External Sources is Tainted and an Attack Vector.
0
 

Author Comment

by:pkonstan1
ID: 39171615
Ray, thanks for the answer.

If you don't mind, a follow-up.  

This co-worker does almost all of his work in Java.  Does your executive summary apply to Java as well?  

Is their an equivalent of raw Java that is just as vulnerable?  Or is Java by nature more secure?

Thanks.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 20 total points
ID: 39171709
I have been working in asp for too long and just making the hop to other languages like php.  It is not going to matter if you use "raw" php or asp(x) or another language, if you have not accounted for @Ray_Paseur's summary, you are open for trouble.

I see a lot of folks using frameworks like CodeIgniter, Cake, Symfony etc.  I have always liked "raw" programming without a framework but am taking on a project using Symfony.  These frameworks are supposed to take care of security issues along with making things "easy".  

However, if you look at their version control notes, there are plenty of security fix's.   I think if you are the type of person that just wants to worry about making something work that is good. I find it hard to take on a framework at face value because 10 years ago I had a "learning" experience and now I am very carful about letting data in or to be displayed.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 20 total points
ID: 39172197
I agree with Ray and padas.  Some of the more popular CMS's like Wordpress and Joomla have security problems in part because they are so popular which makes them bigger targets.  I think your programmer is just being defensive.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have a large data set and a SSIS package. How can I load this file in multi threading?
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question