Forgot your password?
PHP Security Bug Programming

'Month of PHP Security' Finds 60 Bugs 120

Posted by kdawson
from the new-mops-sweep-clean dept.
darthcamaro writes "More than 60 bugs were reported in PHP over the last 30 days by the Month of PHP Security project. Most of the flaws, however, are ones that developers themselves can protect against with proper coding practices, according to Andi Gutmans, CEO of commercial PHP vendor Zend. He argues that PHP security is a matter of setting expectations. In his view, PHP — like all development languages — is only as secure as the code developers write with it. 'People should not expect PHP to be able to enforce security boundaries on a developer [who] has permissions to run custom PHP code,' Gutmans said. 'It's an inherently flawed scenario — and it's the wrong layer to protect in. People must rely on properly configured OS-level permissions for securing against untrusted developers.' Gutmans also praised the MOPS effort for elevating the profile of PHP security throughout the community, and for responsibly alerting the PHP project first with the bugs they found."
This discussion has been archived. No new comments can be posted.

'Month of PHP Security' Finds 60 Bugs

Comments Filter:
  • by suso (153703) * on Friday June 04, 2010 @12:53PM (#32460032) Homepage Journal

    > Ironically all this time I've been avoiding the preg functions because I figured they were the more likely candidates to go away.

    Sorry this is short, but are you *that* dumb?

    I must be.

    Anyway, I remember seeing (in official docs) the note that ereg functions will occasionally be dropped like 5 years ago when I first started with PHP. And the fact that PCRE functions are *much, much* more powerful is very obvious.

    Well good for you. Like I said, I've been using PHP since '97 and I don't usually have to go back to ereg page of the manual much. I know PCRE is more powerful (I do lots of Perl programming too so maybe I am dumb), but there are lots of functions like that in PHP where someone thought it would be cool to add it in, so it got included, but not all of them last and I wouldn't want to write code based on something that would get deprecated. Since ereg has been around since the beginning, I figured that it would be less likely to get deprecated.

    As I brought up on the mailing list months ago when I was trying to make my case, of the books in the top 10 search results for PHP on Amazon, 5 or 6 of them, including the book by Rasmus himself (wrote PHP originally), use the ereg functions in their examples. So you can imagine that there are lots of people out there learning basic search functions out there that will be going away in the next major version. This is not good.

  • by shutdown -p now (807394) on Friday June 04, 2010 @01:05PM (#32460180) Journal

    Stock Python libraries don't suffer from this to the extent PHP ones do.

    WinAPI is twice as old.

  • by pjfontillas (1743424) on Friday June 04, 2010 @02:59PM (#32461936) Homepage
    Hopefully someone who does get the joke and has mod points can help fix that. That's how the system is supposed to work... now if it would actually happen...
  • by Gulthek (12570) on Friday June 04, 2010 @07:30PM (#32465302) Homepage Journal

    That's only because you haven't taken a serious look at Django or Rails. Every diehard PHP coder that I've shown something like the Django admin interface, web form creation/management or something like ActiveRecord and fundamentally integrated testing in Rails has been absolutely stunned at how much low-level work has either been obviated or eliminated entirely. Both frameworks really free you to work on the high level fun stuff of a web application.

    If you want a quick look at Django and don't mind not "getting" it all, the book "Practical Django Projects" is most excellent.

    For Rails you'll probably get the most out of "Rails for PHP Developers".

    Have fun!

Ma Bell is a mean mother!