PHP and security

chiisana, 10 months ago (edited 10 months ago)

Language itself is not the problem. The old notion of “PHP is insecure” stemmed from languages elitists trying to fan the language war by pointing at CVE repositories and claiming the large number of issues stemming from 3rd party WordPress plug-ins and alike, ignoring the fact that there were way more projects than other languages because it is the most commonly used language on the web, as well as having way longer lineage therefor more time to accumulate security issues; whereas their new and shiney with lesser projects are allegedly more secure because there’s lesser projects, lesser eyeballs, lesser histories, etc.

The core language itself is fine; and just as with any other language out there, it is prudent to keep up with updates. The big named projects are fine; and just with any other projects out there, it is prudent to keep up with updates. The extensions/3rd party modules are … well you get the idea.

Just thought of this comparison:

How would you think if someone tells you “Microsoft (PHP) is insecure because there’s all these 3rd apps (plugins) for Windows (WordPress) that has security issues. Don’t believe me? Just look at all those problems from Windows ME (PHP4/5) days!”

gamer, 10 months ago

This is the same as assuming anything written in Rust is secure. (i.e. it’s very wrong)

TheHolm, 10 months ago

Language where use of uninitialized variable is warning ( not a core dump) should not be used. IT mostly in the past for modern PHP, but bad programmers habits remains. I have seen so horribly written PHP project, so i prefer to stay away.

witten, 10 months ago

Thanks for weighing in. That’s historically been my take as well, although as of this thread I’m starting to wonder if modern PHP can be better and/or particular projects can be.

TheHolm, 10 months ago

My opinion that language have changed, but people who use it are mostly same. Anyone who starting working in WebDev now will not use PHP, it is no longer a good tool. Like perl, it is still around, lots of software depends on it. But hardly any new stuff will be written on it. And it is programmers who define quality of the code, if you learn to code on language which promote bad practice it is really hard to change.

martijn, 10 months ago

Easy solvable. Develop in strict mode with all notices enabled. Should be the default for any developer.

carbonara, 10 months ago

Security flaws are on the programmer, not the programming language. PHP is easy to learn and has many built in functions useful for web developing, but if the programmer doesn’t know anything about security and ships trash code it’s only his fault, this is why Laravel is so popular

ThorrJo, 10 months ago

I have a background (in the distant past) as a PHP dev, and currently make my income doing mostly Wordpress work.

For a very long time I took a jaundiced eye towards big PHP apps for the exact same reasons. That being said, I just two days ago finally installed Nextcloud in my homelab and exposed it to the world.

It’s worth noting that a lot of PHP’s bad rep comes from Wordpress, which is terrible in security terms in large part due to a huge and very poorly vetted ecosystem of plugins written by coders of all skill levels.

PHP itself had a number of anti-features which made security difficult in the past. A lot of those issues have been worked on. As somebody who was up to my eyeballs in PHP for years during the bad old days, I’m now confident installing big PHP apps if I think the dev team and dev process are reasonably mature.

witten, 10 months ago

Good to hear that many of PHP’s “bad old days” issues have been fixed. That lines up with what other commenters here have said. I actually wrote some PHP way back then but not since, and I think that may have unfairly colored my current-day views on the language.

Kilamaos, 10 months ago

Is what you host publicly accesible? If not, then it’s not even a concern. You could even host unsafe apps, but if you know they are entirely inaccessible, it wouldn’t change a thing.

As for php itself, it’s mostly due to the fact it’s by far and wide overwhelmingly crushing the competition. A quick Google search says it’s used by about 80% of websites. So, it has, by far, the most (negative) publicity, biggest target, and most inexperienced/bad devs working on it. Software is as secure as its made. Junior dev don’t often think about security. It’s bigger, so it happens more often.

witten, 10 months ago

Yeah, publicly accessible in that it’d be reachable over HTTPS from the internet (and not behind a VPN), but password-protected. Thanks for weighing in on this!

SheeEttin, 10 months ago

Being worried about software written in PHP is like being worried about buildings built with Ryobi tools.

witten, 10 months ago

I’m not sure that analogy quite holds (it’s not like the Ryobi tools are left connected to the building as a critical component of the HVAC system or something), but I like the image anyway. :D

Lemzlez, 10 months ago

I don’t think programming language is a good metric for security. I assume everything I host has issues, and then try to mitigate from there.

IMHO, a better approach is to vet the project beforehand, looking at whether it is still actively maintained. I usually use things like commits, issues, etc to try and gauge whether a piece of software is actively maintained so that when an issue arises, it can be fixed.

You can mitigate much of the risk by using some basic best practices, like isolating all apps from each other (using docker, for example), using a reverse proxy, tools like fail2ban or a web application firewall, using proper database permissions for each app, etc

What I also do is add another layer by making certain applications accessible only over vpn. That won’t work for some tools, obviously, but also reduces the risk for tools you are only using yourself.

witten, 10 months ago

That all seems prudent and reasonable. I guess some of my own anxiety is about how exactly I’ll evaluate projects like you’re talking about. I can (and do) certainly look at whether a project is actively developed before selecting it. Not just for security reasons… I don’t want to bet on a horse that won’t get updated with fixes and features. But for security in particular, I guess I was hoping for ways to evaluate that for a project… without exhaustively poring over its source. Maybe, to your point, the other mitigations you listed should be sufficient, and I should worry more about that side of things than picking the perfect project.

LrdThndr, 10 months ago

I’m a full time senior PHP/JS developer.

PHP has a bad rap because of a few factors.

1, as you said, it’s accessible. It’s a very easy language to learn with a simple syntax and a simple tool chain. So often, it’s a dev’s first language. PHP holds your hand a little bit, but for the most part, security is on the developer, and when a dev doesn’t know any better, bad practices like interpolating values directly into your sql query seem like an easy way to get the job done, but at the hidden cost of opening up SQL injection vulnerabilities. But I’ve seen the same thing happen in Python code, so that’s not really a PHP problem so much as an education problem.

2, earlier versions of PHP were, in a word, shit. They were rife with inconsistencies, poor structure, half-baked features, and it all ran like dogshit. Even today, there’s still some contention in the PHP world about whether to fix the inconsistencies or not, because so much legacy code would fall apart if they did. PHP <= 4 was a goddamned dumpster fire. 5 was MARGINALLY better and brought in proper OOP. 6 literally didn’t exist for various reasons. 7 was actually getting pretty good, now with optional static typing. 8 is BANGIN’. It’s fast, easy to work with, has a great feature set, and a huge community.

3, it’s a big player. When you’re a huge player, you’re also a huge target. Wordpress is one of the most prolific web apps in existence, and it’s PHP based. Being huge, many more people are writing (shit) code for it, and many more (shit) people are trying to break it. Of course software that’s run on more servers is gonna be attacked more. It’s just numbers.

TBH, today, working in both languages extensively, I’d gladly take a PHP based web app over a NodeJS based web app. Don’t get me wrong, I love node for what it is and the paycheck I get, but JS is a goddamned dumpster fire of a half-baked language.

So tldr, don’t fear the PHP. As long as your software was written by somebody who knows their aaS from a hole in the ground, you’ll be fine.

chiisana, 10 months ago

The fact that people still stuck talking about baggages of PHP 4/5, which was released in 2000, as if they’re still valid today is hilarious to me.

witten, 10 months ago

Lol, I really appreciate your thoughts! These are exactly the sort of insights I came here for. I hope this is useful to others too who may be wondering about the same thing.

Max_P, 10 months ago

Bad applications full of security flaws can be written in basically every language.

The thing with PHP is there’s still extremely old apps that just haven’t been updated to modern standards, because PHP itself is much older and thus predates more modern JavaScript/Ruby/Python apps. Wordpress in particular hasn’t changed all that much, and insists on using a wildly outdated database layer on the name of remaining compatible with old plugins, because those plugins is what people turn to Wordpress for.

As with any app you don’t completely trust, the solution is to restrict what they can do as much as possible. Run with minimum privileges, sandbox it in a container, whatever is needed.

witten, 10 months ago

That makes sense. Maybe then the trick is to look at whether any particular app (PHP or otherwise) is written with modern security practices. How do you judge a project’s security practices though?

And then, yeah, maybe also lock it down in a container so the blast radius of any actual exploit is pretty minimal.