From: Richard Lynch [mailto:[email protected]]
> On Thu, March 1, 2012 2:38 am, John Crenshaw wrote:
> >> You might consider those scripts poor programming practice. We all
> >> do.
> >> But PHP is the language of the unwashed masses, and that was, and is,
> >> part of why it is hugely popular. Somebody who barely understands
> >> programming can pound away at the keyboard and write a bloody useful
> >> web application, breaking 10,000 Computer Science rules along the
> >> way.
> >
> > And in 20 minutes I can hack into that application 20 different ways.
> > This isn't really PHP's fault...or is it? By deliberately catering to
> > the lowest possible denominator is it possible that PHP itself
> > contributes to the proliferation of wildly insecure web sites? I do
> > understand the "unwashed masses" argument, and yet, the security geek
> > in me sometimes questions how "good" this is.
> >
> > (Before someone flames me, I'm not really saying that we should scrap
> > any foundational principles or tell basic users to go hang themselves.
> > This is mostly philosophical musing.)
>
> We make concerted efforts to educate scripters, by posting the same thing in all our blogs.
>
> Even if all they understand is "Don't do this!" it's good enough for most
> of them.
>
> Other times the decision was made to just deprecate a "feature" and provide a
> migration path,
> if suitable, but spread out over major
> releases:
> PHP x.0: Feature is bad, but there
> PHP x+1.0 Feature is E_DEPRECATED (or documented as such before E_DEP) [This is the bit
> where a LOT of scripted edumacation has to happen.) PHP x+2.0 Feature is just gone.
>
> People who completely ignore docs or don't upgrade remain vulnerable, but there's not
> much
> you can do without making life miserable for a bazillion developers.
No, you've misunderstood. The average new not-really-a-developer has no concept of security.
Every SQL query they write is vulnerable to injection. Every echo exposes their site to XSS
vulnerabilities. Every form is vulnerable to CSRF. If they did anything with files in their script I
may be able to read arbitrary files to their server and/or upload and execute arbitrary scripts. If
they used eval() or system() I can probably execute arbitrary shell code and take control of the
entire site. If their server is badly configured I could capture the entire machine.
This isn't a question of keeping software updated and not using deprecated functions, this is a
question of discipline that is completely missing among the "unwashed masses" as you call
them. The intuitive way to handle many of the most common PHP tasks is also the completely insecure
way. Philosophically, I wonder if we do a great disservice by encouraging these people to tinker
with code at all. We do so knowing (or at least we should know) that anything they create will
inevitably be hacked. We fuel the widespread security problems that currently plague the web.
John Crenshaw
Priacta, Inc.