|
|
BugTraq
Re: Re: PHP security (or the lack thereof) Jun 21 2006 11:52PM nabiy hotmail com (2 replies) Re: PHP security (or the lack thereof) Jun 23 2006 08:16PM Crispin Cowan (crispin novell com) (3 replies) Re: PHP security (or the lack thereof) Jun 24 2006 12:43PM Glynn Clements (glynn gclements plus com) Re: PHP security (or the lack thereof) Jun 24 2006 08:28AM Daniel Hulme (bugtraq doublezero uklinux net) |
|
Privacy Statement |
> Trying to make the language 'safe' won't fix it because the language
> is not the problem. The real problem is the way PHP is presented to
> most new developers.
> PHP has been introduced as a tool for the web developer. As a language
> its goal is "to allow web developers to write dynamically generated
> pages quickly." ( http://www.php.net/manual/en/faq.general.php ).
Did you read Section IV of that same manual? I remember it quite well,
having wrote some portions of it.
" PHP is a powerful language and the interpreter, whether included in
a web server as a module or executed as a separate CGI binary, is able
to access files, execute commands and open network connections on the
server. These properties make anything run on a web server insecure by
default."
...
"The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a tightly controlled
environment. How you build that environment, and how secure it is, is
largely up to the PHP developer."
From:
<http://www.php.net/manual/en/security.intro.php>
> The focus then is to enable the web developer by giving him the tools
> he needs to create dynamic content, with as little hassle as possible.
> The web developer need only read a short tutorial (
> http://www.php.net/manual/en/tutorial.php ) and he is ready to read,
> understand and implement the ideas presented in the various example
> scripts on PHP.net. Unfortunately this situation leaves the web
> developer uninformed and unprepared to face the hostile environment
> that is the net.
You may be making some erroneous assumptions about who, or what, PHP
quantifies a "web developer" as. As the manual notes, PHP scales,
security wide, from extremely rigid to extremely flexible, as needed.
It is simultaneously being used as a multi-million-users piece of core
software at sites such as Yahoo! and wikipedia, but it can also be used
as a mail form processor at "Joe's bait and tackle". I don't think
somebody who would ever consider the security section in the primary
online manual as a "footnote" as having enough experience to call
themselves a developer.
> the only real solution is to change the way the language is presented
> to new developers. It must be presented in a manner that increases the
> awareness of the developer so that he able to deploy his application
> in a safe manner. This means that security needs to be taught from the
> beginning rather than as a footnote, especially on sites where
> authoritative teaching is given ( such as PHP.net ). - nabiy
If somebody doesn't know that security considerations are a core part
of writing *any* software, they probably aren't that experienced of a
developer yet. However, it might be a Very Good Idea(TM) to make a
mini-security subsection in the tutorial/"Getting Started" section, for
readers who skip over section IV.
FWIW, The manual is arranged as follows:
-----
Preface
I. Getting Started
II. Installation and Configuration
III. Language Reference
IV. Security
V. Features
VI. Function Reference
VII. PHP and Zend Engine Internals
VIII. FAQ: Frequently Asked Questions
IX. Appendixes
----
Note that Security is introduced just after the context of "how the
language works"/"Language Reference" (so users can understand the
security issues) and before "What the Language can do"/"Features".
-Ronabop
--
4245 NE Alberta Ct.
Portland, OR 97218
503-282-1370
[ reply ]