My first job was as a programmer. Well, OK, it was teaching programming. I learned BASIC and FORTRAN in high school in the mid 1970s. I learned C and Pascal and a handful of other languages in college. As and undergrad I taught FORTRAN to freshmen.
Some years ago I needed to build some dynamic web pages and I leaned PHP (which actually stands for – or did at first – Personal Home Page). It was similar to the Perl I’d used for other projects so the learning curve was not too steep.
PHP is used mostly for allowing programmers to embed active code in web pages. One simple example is to include the client’s IP address or maybe the date. More complex examples include database queries and mathematical expressions. The basic language isn’t hard to learn and programmers like the combination of power and simplicity: easy things are easy and complex things can be done albeit with a bit more work.
According to a recent article in the UK’s The Register called “Want to have your server pwned? Easy: Run PHP” over three-fourths of PHP installations exposed to the web have security flaws! It’s not the user-written code, though; it is the PHP interpreter itself. It seems virtually all versions before 5.4 have serious flaws. Maybe this is why my web provider keeps upgrading my PHP (I use a shared provider so they have multiple versions available and upgrades are quite simple)!
When I read the article, I looked up some of the vulnerabilities. There are a lot: buffer overflows, SQL injection vulnerabilities, memory leaks that might cause denial of service and so forth. The “CVE Details” site lists 66 for 5.3.3 alone. And as I noted before, users can make mistakes or misconfigure PHP to make a site vulnerable even if they are using what is believed to be a secure version.
So, what should a PHP programmer do? First check her code for vulnerabilities such as SQL injection and cross-site scripting issues (we explain these in Learning Tree’s System and Network Security Introduction) and second. Update the interpreter to a current version right away. No excuses!
Now for a personal note: I’ll be speaking at the Association for Talent Development (formerly ASTD) annual conference in Orlando in May. #ATD2015 promises to be an exciting conference and I look forward to seeing you there. If Talent Development isn’t your thing, please pass the info on the appropriate friends.
To your safe computing,