Forums | MacLife

Booksley wrote:

According to one of my friends, just using PHP is a huge HACK ME HERE NOW PLEASE sign

LOL

Visual Quickstart guides are a great way to learn.
And there will only be a big "hack me" sign if you don't learn about the security implications of taking in data. I could make any language a security nightmare - so anyone who singles out one language is just trying way too hard to be funny and probably needs to be slapped.

Probably what a lot of people don't understand about PHP is that it doesn't do anything for you - its just a long list of functions that you can choose to work with in any way you choose, so its easy to choose the quick route that doesn't take any security into account.

Booksley wrote:

According to one of my friends, just using PHP is a huge HACK ME HERE NOW PLEASE sign

No, it's not.
There is some very bad code because php is easy so people who don't understand security can write apps.

Use suhosin - http://www.hardened-php.net/suhosin/

It will protect you from many attacks.
Understand that you need to verify far more than most people think. For example - the session id (if using sessions) can be manipulated by the user, as can many of the http environmental variables.

Be extremely cautious when granting write access to the webserver user. In many cases, it is better to do an sql insert rather than write to filesystem. When you do need to write to filesystem, do so in a directory outside of the web root (so that any file written to file system can not then be requested by users browser) etc.

It's not a bad to forbid the system and exec calls in your php.ini.
You probably don't want to use them (there almost always is a better way) and many exploited php sites are exploited because un-checked input was allowed to send an exec command to the php interpreter.

I'm not a guru by any means, but php can be done safely and there are a lot of programmers who do so. There are just far more who don't, and they write exploitable code no matter what language they are using, they just happen to often use php because it is so easy.

I bought the php 5 mysql bible.
It's a good book. At least I think so.

Last edited by resedit (2007-12-22 2:29 am)

avkills wrote:

Well you also need to check input so they don't hose the SQL calls also.

Yeah - there's a function called mysql_real_escape_string that should be used before running a query.

http://us3.php.net/mysql_real_escape_string

resedit wrote:

Booksley wrote:

According to one of my friends, just using PHP is a huge HACK ME HERE NOW PLEASE sign

No, it's not.
There is some very bad code because php is easy so people who don't understand security can write apps.

Indeed.