In the early 2000s, everyone in my bubble knew that PHP was a security nightmare, only seconded by Flash. In the meantime, Adobe gave up on Flash, but PHP is still alive and rocking.

How did that happen? Did PHP get some serious makeover? Do developers just not care?

  • jonne@infosec.pub
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    Stuff like register_globals and the default MySQL extension back in the bad pre-5.3 days definitely didn’t help though. But those haven’t been a problem in over a decade, so nowadays it’s on par with pretty much any other web language/framework. Especially if you use the libraries from Symfony and/or Laravel.

    • Aganim@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      That’s a trip down memory lane, I once (probably a decade ago by now) had to fix a website built by an unknown developer for a customer. Was wondering why I was missing all kinds of variable assignments, until the word ‘register_globals’ floated up from the depths of my mind. And indeed, they enabled that setting in .htaccess, which broke the website after PHP 5.4 did away with it permanently. But to defend the PHP developers a bit: they turned it off by default in 4.2, which came out in 2002, because they recognised it as a security vulnerability. You can debate if that setting should have sticked around for 13 more years, but at least it required a manual action to actually be able to use it from 4.3. Although I cannot help but wonder how many shared hosting companies turned it on just to prevent all kinds of sites from breaking of course.

      And yes, oh boy, the MySQL client… That one wasn’t great as it didn’t support parameterization, but I guess at least the documentation for mysql_query was clear that any data in your query should be escaped with mysql_real_escape_string. To be fair, if you pass unescaped data to MySQLi or PDO you are going to get Bobby Table’d just as hard.