Why do people say that PHP is inherently insecure?

It is pretty hard for a language to be "inherently insecure" by my definition, since a good programmer can adapt. But PHP started out leaving a lot of minefields lying around for novices.

The initial versions of PHP paid little attention to security and the design had some big flaws. Security is hard to retrofit into the core software and into the libraries. Security training is hard in the best of circumstances, and even more so when a large subset of the developers are inexperienced and started off with bad defaults.

For example, it wasn't until version 4.2.0 that register_globals was disabled by default, so data received over the network was not inserted directly into the global namespace anymore. This feature is finally slated for complete removal in the next version.

The early release of PHP and the ease of deploying simple PHP applications also attracted many developers with little security awareness, and ensured a large number of applications, a significant number of which had remotely exploitable vulnerabilities. The size and vulnerability of the deployed base also attracted a lot of interest from the exploit community.

Here are some references and useful links

  • PHP Insecurity - Technology Review
  • How secure is PHP? - Stack Overflow
  • References on "inherently insecure": http://www.sitepoint.com/forums/showthread.php?threadid=112694
  • PHP Security Consortium
  • http://en.wikipedia.org/wiki/PHP#Security

There are at least two points to this:

  1. PHP is very ubiquitous, and this makes it an interesting target for hackers. It also means a lot of novice programmers use PHP, because it is easy to use. So you are more likely to pick up insecure code if you include third party libraries in your application.

  2. And I guess the more important point is that PHP wasn't design to be used on the scale it is today. Rasmus Lerdorf wrote PHP to replace some Perl-scripts he used, and it grew from there. So security wasn't the most important aspect when he wrote it, and a lot of the things he decided to use back than (because it was easier to program in) are now security risks.


More popular subject is - more attention it derives. This is the first truth. Second truth is that PHP from the beginning was not very well designed and nowadays it has a lot of internal hacks to work well, that consistently leads to failures in security implementations, versions incompatibilities. As the best proof you can check MOPS. I really don't think that there is more to discuss.

Tags:

Php

Appsec