this post was submitted on 10 Oct 2023
69 points (88.8% liked)

Technology

58055 readers
4766 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
69
How is the security level of PHP in 2023? (lemm.ee)
submitted 11 months ago* (last edited 11 months ago) by redballooon@lemm.ee to c/technology@lemmy.world
23 comments fedilink hide all child comments
 

In the early 2000s, everyone in my bubble knew that PHP was a security nightmare, only seconded by Flash. In the meantime, Adobe gave up on Flash, but PHP is still alive and rocking.

How did that happen? Did PHP get some serious makeover? Do developers just not care?

you are viewing a single comment's thread
view the rest of the comments
[–] Aganim@lemmy.world 26 points 11 months ago (2 children)

Explain 'security nightmare'? Most security issues I've seen were caused by stuff like passing user input directly to database queries, instead of using prepared statements. Or allowing directory traversals, again by not sanitising user input. That's on the developer, not the language.

[–] jonne@infosec.pub 13 points 11 months ago (1 children)

Stuff like register_globals and the default MySQL extension back in the bad pre-5.3 days definitely didn't help though. But those haven't been a problem in over a decade, so nowadays it's on par with pretty much any other web language/framework. Especially if you use the libraries from Symfony and/or Laravel.

[–] Aganim@lemmy.world 4 points 11 months ago* (last edited 10 months ago)

That's a trip down memory lane, I once (probably a decade ago by now) had to fix a website built by an unknown developer for a customer. Was wondering why I was missing all kinds of variable assignments, until the word 'register_globals' floated up from the depths of my mind. And indeed, they enabled that setting in .htaccess, which broke the website after PHP 5.4 did away with it permanently. But to defend the PHP developers a bit: they turned it off by default in 4.2, which came out in 2002, because they recognised it as a security vulnerability. You can debate if that setting should have sticked around for 13 more years, but at least it required a manual action to actually be able to use it from 4.3. Although I cannot help but wonder how many shared hosting companies turned it on just to prevent all kinds of sites from breaking of course.

And yes, oh boy, the MySQL driver.. That one wasn't great as it didn't support parameterization, but I guess at least the documentation for mysql_query was clear that any data in your query should be escaped with mysql_real_escape_string. To be fair, if you execute a query containing unescaped data with MySQLi or PDO directly you are going to get Bobby Table'd just as hard.

[–] AA5B@lemmy.world 0 points 11 months ago (1 children)

Never used PHP, but wasn’t there a bunch of issues around the admin page being accessible?

[–] Aganim@lemmy.world 2 points 11 months ago (1 children)

PHP itself doesn't have one, it does have a debug command phpinfo() which might print sensitive information. But that's on the programmer if they called that on a publically available page. Could also be that you meant phpMyAdmin, which is a MySQL webclient built in PHP, not an admin page for PHP itself.

[–] AA5B@lemmy.world 1 points 11 months ago

Yep, that’s what I was thinking of