Solved

Raw PHP Security Holes

Posted on 2013-05-16
4
293 Views
Last Modified: 2013-07-05
I started a PHP program seven years ago and it has grown extensively.  While being evaluated by a co-worker who is a full-time programmer, he made the comment:

"It is written in "raw" PHP. Raw PHP is known for security holes that other web frameworks mitigate without programmer intervention (SQL injection especially)."

My question, is his first statement correct -- "Is PHP known for security holes?"

My second question, what are some bad practices that would make my code vulnerable to SQL injection?

Thanks.
0
Comment
Question by:pkonstan1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 175 total points
ID: 39171451
You're asking the wrong question.  Instead of what are bad practices, ask about best practices.

There are too many things to get into for a 215 point question - this is more like a Master's Degree in computer science.  But I can offer some learning resources about PHP weaknesses and commonly exploited vulnerabilities.  These articles tell some of the story.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_7317-Register-Globals-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

These links are worth studying, even if they are old.
http://www.sitepoint.com/php-security-blunders/
http://phpsec.org/projects/guide/
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

And PHP has this for you.
http://php.net/manual/en/security.php

Executive summary, Accept Only Known Good Values, Assume Nothing, All Data from External Sources is Tainted and an Attack Vector.
0
 

Author Comment

by:pkonstan1
ID: 39171615
Ray, thanks for the answer.

If you don't mind, a follow-up.  

This co-worker does almost all of his work in Java.  Does your executive summary apply to Java as well?  

Is their an equivalent of raw Java that is just as vulnerable?  Or is Java by nature more secure?

Thanks.
0
 
LVL 53

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 20 total points
ID: 39171709
I have been working in asp for too long and just making the hop to other languages like php.  It is not going to matter if you use "raw" php or asp(x) or another language, if you have not accounted for @Ray_Paseur's summary, you are open for trouble.

I see a lot of folks using frameworks like CodeIgniter, Cake, Symfony etc.  I have always liked "raw" programming without a framework but am taking on a project using Symfony.  These frameworks are supposed to take care of security issues along with making things "easy".  

However, if you look at their version control notes, there are plenty of security fix's.   I think if you are the type of person that just wants to worry about making something work that is good. I find it hard to take on a framework at face value because 10 years ago I had a "learning" experience and now I am very carful about letting data in or to be displayed.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 20 total points
ID: 39172197
I agree with Ray and padas.  Some of the more popular CMS's like Wordpress and Joomla have security problems in part because they are so popular which makes them bigger targets.  I think your programmer is just being defensive.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question