Is PHP Insecure?

Him – PHP is Insecure.
Me – What makes you say so?
Him – I read it in a book.
Me – And what have you read exactly?
Him – I can’t remember, I’ll send you the book.

and he did actually send me the book, I read it, it was about 70 pages, actually I guess it was first an e-zine or something from some hackers website or mailing list, what ever. after that I saw the guy.

Me – Did you read the book, or just skimmed through.
Him – No, I read it.
Me – Do you know anything about PHP.
Him – Yeah, I wrote some scripts.
Me – OK, first of all the book does not talk about any PHP vulnerability, and the examples he gave for his hacks were just a stupid code, and if anyone working in this industry writes code like that, he should have a capital punishment.
Him – what, no no it just that PHP is not secure.
Me – ok here is the book, tell me where does it say that PHP is not secure.
Him – in the first chapter he says about a vulnerability in the include function.
Me – Yeah I noticed that, first of all include is not a function it’s an operator, second thing the code says something like

<?php
include ($page);
?>

and he says that when register_globals is turned on you can override the $page.
OK where did the $page variable came from, it should have come from somewhere, and at this somewhere it would be set, unless the coder is depending on that register_globals is on, and he is expecting the $page variable to from an input of the user, well it’s one of the extremely basic thing in programming that you have to validate user input. So it’s not a vulnerability in PHP itself, it’s a vulnerability in the developers code, which marks him as an idiot who should not put any code online, unless he is trying to win the most hacked site of the year, which also marks him as stupid cause after the first hack his application would be down, and maybe shredded all over, after the second I guess he would be fired.
Him – but it’s also PHP’s problem, why does it allows such code.
Me – really, a stupid programmer can make this vulnerability in any language you want.

Well the point is not just related to PHP, it’s also related to any programming language, usually lots of inexperienced developers, blame there errors on a programming language. Yeah some bugs could come from the programming language, but it’s very rare, and if so, programmers learn how to avoid it.
And another problem, is that people like Him, believes these things without really knowing, and most of them defend it like their lives.

Story Morals:
Don’t blame others for your mistakes, try to find out where you’ve been wrong first.
Don’t defend ideas you know nothing about, if you think they are right, try to investigate them first, at least when someone asks you about it you would have a more reasonable thing to say other I heard it, or I read it in a book.

Leave a Reply

Your email address will not be published. Required fields are marked *