Sunday, October 30, 2005

Flashback: More on PHP Security

I dug this out for additional evidence of how PHP gives programmers too much rope to hang themselves, not unlike C.


-----Original Message-----
From: David Wheeler [mailto:[email protected]]
Sent: Wednesday, August 08, 2001 2:06 PM
To: me
Subject: PHP

Ben Ford said:

>>Don't call it a weakness of the language, call it by its true name:
>> Lazy Programming.

If this was a common problem in other languages, I might agree with you.
But it's not. Essentially all other computer languages do _NOT_ let
attackers set the state of arbitrary program variables to arbitrary
values, and then require programmers to constantly reset
values if they'd like to prevent attackers from controlling them.

I'm not saying that PHP is some horrible, unfixable language.
I've posted to PHP-DEV a relatively simple set of changes that would
make it possible to eliminate the problem, and others have proposed
other approaches. And those who can control their PHP configuration can
obviously do so and eliminate the problem right now for their

Yes, you can write secure applications in PHP. But it requires
herculean effort. It's "obvious" when the application is small
that some variable needs to be unset, that's true, assuming you know to
But once you call functions, you have to have global knowledge of all
global values that the function uses, including the complete transitive
closure of all functions it calls directly & indirectly -- and that
INCLUDES the implementation of the library functions you call. And you have to
redo the analysis when you use a new version of PHP. You could argue
that all PHP developers do this... but I wouldn't believe you.

It's certainly true that all languages have "gotchas".
This one is larger than most (in my opinion), though. And we should be
striving in our computer languages to make it easy, not hard, to write
secure programs.

If some application can be used securely in theory, but its user
interface is so hard to use that it cannot PRACTICALLY be used securely,
then it's still insecure. I argue that the same is true for programming languages.

No comments:

Post a Comment