Solved

Raw PHP Security Holes

Posted on 2013-05-16
4
274 Views
Last Modified: 2013-07-05
I started a PHP program seven years ago and it has grown extensively.  While being evaluated by a co-worker who is a full-time programmer, he made the comment:

"It is written in "raw" PHP. Raw PHP is known for security holes that other web frameworks mitigate without programmer intervention (SQL injection especially)."

My question, is his first statement correct -- "Is PHP known for security holes?"

My second question, what are some bad practices that would make my code vulnerable to SQL injection?

Thanks.
0
Comment
Question by:pkonstan1
4 Comments
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 175 total points
Comment Utility
You're asking the wrong question.  Instead of what are bad practices, ask about best practices.

There are too many things to get into for a 215 point question - this is more like a Master's Degree in computer science.  But I can offer some learning resources about PHP weaknesses and commonly exploited vulnerabilities.  These articles tell some of the story.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_7317-Register-Globals-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

These links are worth studying, even if they are old.
http://www.sitepoint.com/php-security-blunders/
http://phpsec.org/projects/guide/
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

And PHP has this for you.
http://php.net/manual/en/security.php

Executive summary, Accept Only Known Good Values, Assume Nothing, All Data from External Sources is Tainted and an Attack Vector.
0
 

Author Comment

by:pkonstan1
Comment Utility
Ray, thanks for the answer.

If you don't mind, a follow-up.  

This co-worker does almost all of his work in Java.  Does your executive summary apply to Java as well?  

Is their an equivalent of raw Java that is just as vulnerable?  Or is Java by nature more secure?

Thanks.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 20 total points
Comment Utility
I have been working in asp for too long and just making the hop to other languages like php.  It is not going to matter if you use "raw" php or asp(x) or another language, if you have not accounted for @Ray_Paseur's summary, you are open for trouble.

I see a lot of folks using frameworks like CodeIgniter, Cake, Symfony etc.  I have always liked "raw" programming without a framework but am taking on a project using Symfony.  These frameworks are supposed to take care of security issues along with making things "easy".  

However, if you look at their version control notes, there are plenty of security fix's.   I think if you are the type of person that just wants to worry about making something work that is good. I find it hard to take on a framework at face value because 10 years ago I had a "learning" experience and now I am very carful about letting data in or to be displayed.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 20 total points
Comment Utility
I agree with Ray and padas.  Some of the more popular CMS's like Wordpress and Joomla have security problems in part because they are so popular which makes them bigger targets.  I think your programmer is just being defensive.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article describes how to create custom column layout styles for Bootstrap. The article uses 5 columns to illustrate the concept, but the principle can be extended to any number of columns.
Building a website can seem like a daunting task to the uninitiated but it really only requires knowledge of two basic languages: HTML and CSS.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now