JOB: LAMP Artisan

Eric Wald eswald at
Mon Feb 24 11:02:19 MST 2014

On Mon, Feb 24, Michael Torrie wrote:
> Dan's question is, what is it about PHP that causes it to have such a
> horrible reputation for security?  What makes other languages better for
> real-world web stuff?  What are the trade-offs?

In PHP, the easy, obvious way to construct a webpage is to intermingle
hard-coded bits with unsanitized user input.

In PHP, the easy, obvious way to interact with a database is to stuff
user input straight into a string and use that as your query.

In PHP, the easy, obvious way to build a website is to make each page
its own script, including a global configuration file if necessary.

Some configurations of PHP and/or Apache make it possible to view the
source of a PHP file from over the web, including the aforementioned
global configuration file.

In PHP, passing an array to a function makes a copy by default, making
it easy to run out of memory, simplifying denial-of-service attacks.

Other languages make it harder to build web stuff in the first place,
making the easy, obvious way to use a framework.  Most such frameworks
are more inclined to make security a high priority.  Django's template
system, for example, escapes strings by default.  SQLAlchemy makes it
easier to use parameterized queries than to build the query string.

Then again, PHP doesn't have buffer overflow and null pointer problems,
so it might not be the absolute worst language for the web.

- Eric

More information about the PLUG mailing list