PHP Security Consortium Launched 64
Chris Shiflett writes "We're happy to announce the official launch of the PHP Security Consortium (PHPSC). Our mission is 'to promote secure programming practices within the PHP community through education and exposition while maintaining high ethical standards.' You can read the official press release or visit us at phpsec.org."
Good (Score:1)
Re:Good (Score:2, Interesting)
Re:Good (Score:5, Interesting)
Re:Good (Score:4, Insightful)
a) write crap code themselves, or
b) use tested and audited code, save themselves some time and get to see how it should be done in the process.
And while there is no 'magic widget' that will fix your whole app, it's definitely possible to create a widget which will handle the login properly (probably where most SQL injection attacks occur), perhaps force a sensible password policy and maybe some code to test for some common security flaws (whether in code or against a live server).
And - WHY can't you create a general purpose secure file streamer? I'm curious
Re:Good (Score:2)
Re:Good (Score:1)
Good to see (Score:2)
Re:Good to see (Score:5, Informative)
I guess you missed the PHP Security Guide [phpsec.org]?
:-)
Re:Good to see (Score:2)
Re:Good to see (Score:2)
There are links in the Library [phpsec.org] that point to existing resources like that.
Re:Good to see (Score:2)
not necessarily (Score:2)
Wow! (Score:5, Funny)
Want to make PHP more secure? (Score:3, Insightful)
Use exception handling from top to bottom. Don't allow an error or return value to go unchecked.
Run code in some kind of sandbox by default. Example: fork and chroot each PHP script. Safe mode isn't good enough.
HTML ESCAPE BY DEFAULT. Use a separate set of tags for un-escaped output. Isn't it ridiculous that you have to remember to HTML escape output??? All you have to do is forget one spot, and congratulations, your app is on bugtraq.
Then I'll start to take PHP seriously.
As long as PHP caters to the bottom 95% ("but if we change that, people will get confused"). I'll look elsewhere.
Re:Want to make PHP more secure? (Score:5, Informative)
As mentioned here [phpsec.org], we recommend that register_globals be left disabled. It has been disabled by default in PHP since version 4.2.0.
This is a poor approach. Data should be filtered on input and properly escaped for its particular purpose on output. Escaping data for one particular purpose on input requires developers to unescape it for any other use, and this unnecessary complexity poses a security risk. Properly educating users as to what functions are there to help properly escape data is our approach. For example, want to avoid XSS? Escape your (already filtered) data with htmlentities(). Want to avoid SQL injection? Use an escaping function specific to your database of choice such as mysql_escape_string().
We are not an advocacy group. Our purpose is to promote secure programming practices within the PHP community, not promote PHP to other groups. PHP is already taken very seriously by some of the web's largest and most heavily trafficked sites.
Re:Want to make PHP more secure? (Score:2, Insightful)
This will fall on deaf ears here. This is a Perl Zone. Reason with respect to PHP does not work here, because people here fear php. And that's a shame because as you say, PHP is already taken very seriously by some of the web's largest and most heavily trafficked sit
Re:Want to make PHP more secure? (Score:2)
ASP is the only language worth comparing with PHP since they serve the same function.
Re:Want to make PHP more secure? (Score:2)
You misunderstand me. (Score:2)
Re:Want to make PHP more secure? (Score:2)
Using the <? php ?> some html <? php ?> approach is garbage
$h = new html();
$h->append($firstname, array('filter', 'htmlentities');
$h->append($last_name, array('filter', 'htmlentities');
$h->append($last_name, array('filter', 'htmlentities');
$h->append($address1, array('filter', 'htmlentities');
$h->append($address2, array('filter', 'htmlentities');
$h->append($html_table);
$h->output();
though the last par
hehe bugs (Score:2)
filtered on input (Score:2)
Re:Want to make PHP more secure? (Score:2)
Yes, true. However, there are also large companies that take very questionable ideas very seriously. The whole "It is good because large organization X uses it." idea no longer applies because large companies and websites, in general, tend to be run by idiots. (
Re:Want to make PHP more secure? (Score:1, Informative)
http://phpsec.org/projects/guide/ [phpsec.org]
http://phpsec.org/library/ [phpsec.org]
I'm not sure if this counts, but Zend offers online training [zend.com], and one of their advanced courses is Securing PHP Code [zend.com].
Re:Want to make PHP more secure? (Score:2)
No. Use a system that supports prepared statements (or which simulates the functionality by doing the proper quoting for you behind the scenes). If PHP cannot do this, drop it in favour of a non-toy language; there's many of them out there that will integrate as well (or better) with Apache.
Come on, everyone! We've known the answer to this one for donkey's years!
Re:Want to make PHP more secure? (Score:2)
*duck*
-Bill
Re:Want to make PHP more secure? (Score:1)
You have to filter input and escape output just the same way in Perl.
You can shoot yourself in the foot with PHP as you can with C - it's not the programming languages fault people don't know how to write secure code, and these people are promoting safe practices, which is very nice and respectable.
If you don't know how to write secure web applications from the ground up, you are better off with some "frameworks"
Re:Want to make PHP more secure? (Score:2)
Think allow_url_fopen and register_globals?
-Bill
Re:Want to make PHP more secure? (Score:1)
Re:Want to make PHP more secure? (Score:1)
I want to program, not generate a simulation of line noise!
*duck* :-)
Re:Want to make PHP more secure? (Score:2)
The only thing that makes "register globals" insecure is an incompetent programmer. I have lots of old production code that was written long ago that will break if register globals is removed.
Exception handling is fine, as long as you can define what exactly is considered an exception. Currently, setting ERROR to ALL in PHP will cause PHP to throw errors just because you looked at your monitor funny.
Isn't it ridiculous that you have to rememb
Re:Want to make PHP more secure? (Score:2)
how would I type
print(' ');
?
more crazy quoting rules perchance ?
printf("%s\n", email_address);
doesn't html escape it's output, why do you think other languages should automatically do it ?
what if I have header('Content-Type: text/plain');
or header('Content-Type: image/jpeg');
> fork and chroot each PHP script
It is the job of the web server to decide how to handle its scripts. Not the scripting language. FYI My web server is *already* chrooted and I'd rather
Glad to see it... (Score:3, Insightful)
I realize that this is a huge generalization. Don't get me wrong; I don't reject a program outright if I find that it was created with PHP. PHP does, though, raise an eyebrow.
All things being equal, I do reject a PHP app quicker than a non-PHP app if it shows a similar number of questionable or just flat out poor security defaults or is designed with little attention to security. It's often harder to deal with and keep up to date as the original branch of the app is updated -- raising the frustration as time goes on.
Re:Glad to see it... (Score:2)
Plone products -- borrowing from Plone and other Plone Products with Plone borrowing from Zope and Zope borrowing from Python -- is just about an ideal example of how to strengthen multiple projects while still getting the narrowly focused service you want that can be tweaked at will. Others can come up with non-Plone examples that they favor, so don't take this as a PHP vs. Plone rant. It
Re: (Score:2)
Re:Glad to see it... (Score:2)
Huh? [php.net]
Re:Glad to see it... (Score:2)
Yep; it was a generalization. I'm mostly frustrated with the customization aspects. Grab some Wikis based on PHP and they look impressive. Try and customize, say, Twiki, and keep it in sync with the developers and get ready for problems. Very frustrating. The parts may be borrowed, though they don't work that way. All very implementation specific.
With Plone, you can see what is possible...with Zope. With Zope, y
Re:Glad to see it... (Score:1)
The problem here is that Plone is not a language; it is a CMS. And Zope is not a langauge; it is a framework that happens to be written in the language Python. Python otherwise shares the same problem as PHP: when you start a new project, you either have to find some existing code or reinvent the wheel. Zope minimizes this by providing a framework in which you can work and find a lot of the code you
Re:Glad to see it... (Score:3, Funny)
You know, I have to say that reuse is overrated, in any language you can name. I will only use someone else's code -- whether it's a single function or an entire project -- if it's well-documented and shows predictable, easily understood behavior. Very often it is easier to reinvent the wheel than to try to fit someone else's wheel onto the car you're building, especially if that wheel seems to be a good all-around w
Re:Glad to see it... (Score:1)
NIH syndrome knows no language, it's universal. PHP has PEAR [php.net] and the PHP Foundry on SourceForge [sourceforge.net], developers who don't check there for code to meet their needs before running off to write stuff deserve the pain.
Plone, Zope, and Python are entirely different sorts of beasts. I'm not sure what your point is.
Re:Glad to see it... (Score:2)
Consider it a thought experiment.
Too bad the only article contains a race condition (Score:3, Interesting)
Too bad that that example on that site of 'an international group of PHP experts dedicated to promoting secure programming practices within the PHP community.' is flawed.
It always writes to the same
If these are the PHP experts on secure programming, I am now really worried.
Re:Too bad the only article contains a race condit (Score:2)
It always writes to the same
It doesn't always write the same one. Yes, two people could see the same one, but how is that a problem?
Re:Too bad the only article contains a race condit (Score:3, Interesting)
and:
$image = $captcha->getCAPTCHAAsJPEG();
$handle = fopen('captcha.jpg', 'w');
fwrite($handle, $image);
fclose($handle);
So, assume this happens:
- Client A requests the site
- Client B requests the site
- PHP engine process request for A: generates a random string 'abcde' and creates the captcha.jpg for this 'abcde'
- PHP engine process request for B: generates a random string 'fghij' and creates the captcha.jpg for this 'fghij'
- Due to some network lag (200ms), A will now request 'captcha.jpg
Re:Too bad the only article contains a race condit (Score:2)
<img src="captcha.jpg"
Re:Too bad the only article contains a race condit (Score:2)
Re:Too bad the only article contains a race condit (Score:2)
Not really. At times in the past I've been behind a firewall that put over 100k people effectively on the same IP address (or a small pool of IP addrs). Thankfully that time is past now, but if you think that an IP addr identifies a unique machine, you're sorely wrong. The right answer is to go by session (identified by cookies, which web proxies usually handle right) and not commit any temporary files (like CAPTCHAs) to disk at all.
Coding Standards In General (Score:2, Insightful)