PHP: Security Perspective

--Originally published at TC2027 – Will It Blog?

Through this semester one of my goals was to learn php and hopefully understand how the backed of an application worked, it also resulted convenient because I had a course on Web development and I though I would be using it on my project for that class.

But at the end I heard from colleagues and forums how it was a pretty unruly/insecure language and through the course we once used this framework called CakePHP. That was my first approach ever to MVC arquitechture. I didn’t like it, it was confusing and it was after watching 2 tutorials that I started understanding what was going on. There are also other php frameworks like lavarel that offer a more elegant way of writing code but I think the thing is that one must understand or have an idea of the language the framework is using.

cake

So I started reading this guide of crude php and what surprised me the most was this part mentioned when covering the part of sessions inside php.

Session fixation describes an attack vector in which a malicious third-party sets (i.e. fixes) the session identifier (SID) of a user, and is thus able to access that user’s session.

And they proceed to mention other things like not to store sensitive information on a cookie, md5 hashing (to “increase” security on data exchange) and other stuff, but I was still worried about the security involved when using this language. What I want to cover is the vulnerabilities that the language has and what I think is the reason that it is so rejected by many developers.

First of all php comes as a language of back end (server side oriented), created back in 1994 and its meaning was PERLsonal home page as I will call it

it slightly resembles Perl language. As I keep reading Wikipedia I see that php was never intended to be a proper language but a tool that worked as a Common Gate Interface in order to to help communicate the application to a database. Over the years and through several iterations and additions php became the language we know today. The following are a few vulnerabilities which I think are the most serious.

  • Session Fixation

  • SQL Injection

  • Cross-site Scripting

You can look at a more complete list of vulnerabilities here, also explained and also fixes included.

I think that the main issue is that the language  was poorly designed from the start, that’s why it has many security holes. And don’t get me wrong I’m not a php hater nor I’m looking to discourage you to use it, but if right now you are developing using php these are things that must be considered when making an application so that user data or any kind of data doesn’t get compromised.