In my experience, the biggest problem with security in PHP has been SQL injection attacks. That's probably more correctly labeled as a problem with the MySQL database driver for PHP, rather than a problem with PHP itself.

And, at any rate, is really the programmer's fault. It's not really a problem with PHP. You could make the same mistake in any programming language (including RPG, including Java, etc, etc.)


What happens is people will get input from a web page... Something like

Enter your personal ID number: ________

And then do something like this:

$query = "Select tranid, custno, custname, trandate from transactions
where personal_id = '" . $_POST['personal_id'] . "'";

So if your personal id (typed into the blank) was 1234, the SQL statement would look like this:

Select tranid, custno, custname, trandate from transactions
where personal_id = '1234'

Seems sensible... the problem is the user might type the following string into the blank on the web page:

1234' and custno>'0

PHP would therefore build an SQL statement that looks like this:

Select tranid, custno, custname, trandate from transactions
where personal_id = '1234' and custno>'0'

Now that person not only has access to transactions for their personal id, but has access to all transactions. He's tricked the system by inserting actual SQL code that will be executed by the program. So, that's what an SQL injection attack is.

The MySQL driver for PHP does provide a routine intended to prevent this sort of problem. The code can easily be fixed by doing something like this:

$query = "Select tranid, custno, custname, trandate from transactions
where personal_id = '" .
mysql_real_escape_string($_POST['personal_id']) . "'";

The "mysql_real_escape_string" will make certain that any quotes or other special characters entered by the user are treated as data, not as SQL code.

Of course, if you're accessing a DB2 database instead of MySQL, you can also use parameter markers to solve the problem.

$query = "Select tranid, custno, custname, trandate from transactions
where personal_id = ?";
$stmt = db2_prepare($query);
db2_execute($stmt, array($_POST['personal_id']));

So, IMHO, it's not really a flaw in PHP. The security issues really are a flaw in the way programmer's write their code.


Mike Cunningham wrote:
We are considering using PHP on i for some new development, but a
colleague has raised a concern about the security of PHP
applications. He remembers past stories about lots of security holes
on PHP applications, and scripted attacks against php web
applications. He does not know if these flaws were due to just bad
design/coding on the part of the developer or something inherent in
the way PHP works. Does anyone on this list have any experience in
this area?


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.