Solved

Raw PHP Security Holes

Posted on 2013-05-16
4
295 Views
Last Modified: 2013-07-05
I started a PHP program seven years ago and it has grown extensively.  While being evaluated by a co-worker who is a full-time programmer, he made the comment:

"It is written in "raw" PHP. Raw PHP is known for security holes that other web frameworks mitigate without programmer intervention (SQL injection especially)."

My question, is his first statement correct -- "Is PHP known for security holes?"

My second question, what are some bad practices that would make my code vulnerable to SQL injection?

Thanks.
0
Comment
Question by:pkonstan1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 175 total points
ID: 39171451
You're asking the wrong question.  Instead of what are bad practices, ask about best practices.

There are too many things to get into for a 215 point question - this is more like a Master's Degree in computer science.  But I can offer some learning resources about PHP weaknesses and commonly exploited vulnerabilities.  These articles tell some of the story.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_7317-Register-Globals-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

These links are worth studying, even if they are old.
http://www.sitepoint.com/php-security-blunders/
http://phpsec.org/projects/guide/
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

And PHP has this for you.
http://php.net/manual/en/security.php

Executive summary, Accept Only Known Good Values, Assume Nothing, All Data from External Sources is Tainted and an Attack Vector.
0
 

Author Comment

by:pkonstan1
ID: 39171615
Ray, thanks for the answer.

If you don't mind, a follow-up.  

This co-worker does almost all of his work in Java.  Does your executive summary apply to Java as well?  

Is their an equivalent of raw Java that is just as vulnerable?  Or is Java by nature more secure?

Thanks.
0
 
LVL 53

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 20 total points
ID: 39171709
I have been working in asp for too long and just making the hop to other languages like php.  It is not going to matter if you use "raw" php or asp(x) or another language, if you have not accounted for @Ray_Paseur's summary, you are open for trouble.

I see a lot of folks using frameworks like CodeIgniter, Cake, Symfony etc.  I have always liked "raw" programming without a framework but am taking on a project using Symfony.  These frameworks are supposed to take care of security issues along with making things "easy".  

However, if you look at their version control notes, there are plenty of security fix's.   I think if you are the type of person that just wants to worry about making something work that is good. I find it hard to take on a framework at face value because 10 years ago I had a "learning" experience and now I am very carful about letting data in or to be displayed.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 20 total points
ID: 39172197
I agree with Ray and padas.  Some of the more popular CMS's like Wordpress and Joomla have security problems in part because they are so popular which makes them bigger targets.  I think your programmer is just being defensive.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question