back to article Want to have your server pwned? Easy: Run PHP

More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found. Google developer advocate Anthony Ferrara reached this unpleasant conclusion by correlating statistics from web survey site W3Techs with lists of known vulnerabilities in various versions of PHP. …

  1. mafoo

    RHEL

    "What do you mean you want the latest release of that version of PHP?"

    1. Ole Juul

      Re: RHEL

      Indeed, this just goes to show that blindly updating to the "latest version", as is religiously pushed by many, is not guaranteed to lead to better security.

      1. John Brown (no body) Silver badge

        Re: RHEL

        On the other hand, the latest version fixes previous problems/bugs. You don't know that there are new bugs/undiscovered old bugs at the time of the upgrade.

        1. Ole Juul

          Re: RHEL

          You don't know that there are new bugs/undiscovered old bugs at the time of the upgrade.

          I'm not convinced that what you don't see won't hurt you is a practical philosophy when it comes to software. History shows that there is likely to be bugs in a new version. One way or the other, you take your chances. I think that a big part of the problem regarding unknowns is that updates often don't just fix know problems, but include additions and features - thus adding to the chances of failure.

          1. asdf
            Headmaster

            Re: RHEL

            >updates often don't just fix know problems, but include additions and features

            Maybe I am missing something but I thought that is the whole reason you pay RH big bucks (to push systemd but I digress) is so you get the security bug fixes without new features if you so choose. Yes bug fixes often come with their own risks and even sometimes open yet new security holes (especially it seems like in Windows land) but that is why companies pay for many of the IT pros reading this to test those fixes first before deployment.

          2. John Brown (no body) Silver badge

            Re: RHEL

            "I'm not convinced that what you don't see won't hurt you is a practical philosophy"

            That's not what I said or proposed. If you have a known vulnerability, a patch or upgrade being the only solution, then you have to take the risk that you are not adding new problems unless you have the time and ability to fully scrutinise the source code of the patches or upgrade.

            Is the risk that an upgrade or patch might introduce a new and as yet unknown vulnerability higher than fixing a known vulnerability? I'd say no.

            1. Anonymous Coward
              Anonymous Coward

              Re: RHEL

              > If you have a known vulnerability, a patch or upgrade being the only solution

              Actually, it's not "the only solution". As I understand it, a sane security approach will assume that your systems are vulnerable, and seek to identify, minimise, and control the consequences of a break-in.

              This, of course, does not mean that one should leave the door wide open, but security patches are but one element in the equation, not the ("only") solution itself.

    2. Anonymous Coward
      Anonymous Coward

      Re: PHP?

      It's not like the rest of the commonly used stack - Linux, Apache and MySQL - have not had plenty of holes too. Hello BASH, SSL, NTP, etc., etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: PHP?

        It's not like the rest of the commonly used stack - Linux, Apache and MySQL - have not had plenty of holes too. Hello BASH, SSL, NTP, etc., etc.

        Ohh, and of course Windows servers never use NTP for time sync do they? What UDP port was time.windows.com listening on again?

  2. Anonymous Coward
    Anonymous Coward

    This... Is just too funny.

    My opinion on php lovers just dropped a notch or two - and it was already pretty freaking low.

    1. Charlie Clark Silver badge

      Not just my opinion

      It's a fucking awful language.

      Still lots of people like it and write good (well reasonable), secure (well not too fucked) code in it.

      1. asdf

        Re: Not just my opinion

        >It's a fucking awful language.

        What the hell I'll take the downvotes. You mean just like virtually every other language and technology in webbie land?

        1. billse10

          Re: Not just my opinion

          have an upvote to counter the single downvote that's there at the moment ;-)

          The balance of votes seems to suggest you may have a point ........

        2. Charlie Clark Silver badge

          Re: Not just my opinion

          @asdf

          That's a bit of a leading question – I guess only Javascript is another webbie language – every other language tends to come from another domain.

          I'm not arguing as to what you can and cannot do with the language but very specifically about the rather obvious lack of design of the language itself. Like Javascript, PHP was thrown together to scratch a particular. They have both succeeded in spite of this shortcoming.

          1. This post has been deleted by its author

          2. asdf
            Mushroom

            Re: Not just my opinion

            I was thinking of particularly of Ruby on Rails and while the language is not web only it might as well be. Still honestly my age is showing some but not a lot in the webbie domain strikes me as particularly elegant. It often seems like an ever more high level technology/framework/language flavor of the week, exclusively RAD focused, charlie foxtrot used by millennial hipsters designers (not developers) who don't even understand the levels upon levels of software they are using above the bare metal.

            1. Charlie Clark Silver badge

              Re: Not just my opinion

              I was thinking of particularly of Ruby on Rails

              That's one particular framework, which is reasonable for a particular domain and shit for everything else. The ActiveRecord pattern is one of the many examples of poor designs from lazy or stupid programmers, though that isn't helped by SQL syntax: a "wire" interface for set algebra would be a much better way for client code to talk to servers.

              But, while I don't like the Ruby syntax, there's no denying that quite a lot of thought has gone into the language.

              In one sense it's very difficult to do the web nicely thanks to the stateless http protocol and fuck-ups like HTML forms (look and smell like MIME elements but you can't nest them). But having a universal protocol and no runtime lock-in also has its advantages.

            2. Anonymous Bullard

              Re: Not just my opinion

              designers (not developers) who don't even understand the levels upon levels of software they are using above the bare metal.

              I hear what you're saying, but please don't over generalise.

              Some of us have already written our own memory management libs, string manipulation, array handling, and UI frameworks several times. It's time to use someone else's, now.

              When I last used PHP (v4), it was great for whipping up something quick and simple and was one of the best solutions at the time (a bit like JS).

              1. asdf

                Re: Not just my opinion

                >I hear what you're saying, but please don't over generalise.

                Guilty as charged and do admit to monkey poop throwing. My experiences do not represent probably most of the webbies out there.

        3. Michael Wojcik Silver badge

          Re: Not just my opinion

          You mean just like virtually every other language and technology in webbie land?

          PHP is particularly awful. It manages to beat Perl for inconsistency and redundant features - an impressive achievement - and it has a collection of design infelicities and inherently-insecure functions (including, notably, some of the "security" ones) that makes the C standard library jealous.

          Yes, Ruby on Rails combines poor scaling with the security nightmare that is Active Record. Yes, Node.js suffers from being, well, Javascript, with its type-unsafe Self-like object model1. Yes, ASP.NET is Windows-only and relatively heavy. And so on. You can find something to object to in any language.

          But PHP is an especially execrable pile of crap upon crap. It's a big ball of ill-conceived ad hoc bits tossed together. And - as with so many languages - few of its practitioners seem to want to use the less-stupid ones (even OO PHP seems to be relatively uncommon).

          And as the article points out, there's a wide range of PHP versions in use, so if you want to write code for use on multiple sites, you have to target the common subset. I ran into version (and configuration) issues several times when I put together a simple PHP data access layer the students in my web-design class last year. They typically didn't have control over the PHP version and configuration - they couldn't afford relatively expensive VM hosting packages, so their sites were on shared systems and they got whatever the hosting provider wanted to install.

          1Of course ECMAScript 5.1 fixed some of the problems with earlier versions. And of course almost no one uses those features.

      2. Vic

        Re: Not just my opinion

        Still lots of people like it and write good (well reasonable), secure (well not too fucked) code in it.

        And lots of people write fucking awful code in it.

        I was once called in to fix a CMS that had lost ~70% of its content. It turned out that a (fairly aggressive) web spider had got into the admin section and spidered all the "delete" links.

        The entry route was that an inexperienced editor had accidentally posted a link to his edit page, rather than the published version. But the security breach was that PHP had several methods to retrieve environment variables (e.g. current username), with a big red warning on the doc page to tell you that mixing those methods would lead to credential leakage. The CMS in question did exactly that, so the web spider had erroneously been given admin credentials just before it came across that duff link...

        Vic.

  3. Robin Szemeti

    Seriously, he actually believed the advertised PHP version on the server?

    I doubt any serious admin is accurately showing the actual version they are running, it's long been standard practice to report completely different Apache, PHP, OpenSSL etc variants in the server banner.

    I'm surprised this guy is basing his research findings on the results on that site ... option 1: he doesnt reallise those results are highly likely to be miles out, so he's a dufus, or option 2: he does reallise, but published his research built on dodgy foundations anyway, in which case he's a dufus.

    1. leexgx

      Re: Seriously, he actually believed the advertised PHP version on the server?

      the thing is most do not how to use PHP or version most just install it and forget it and use it until they get hacked

    2. Anonymous Coward
      Anonymous Coward

      Re: Seriously, he actually believed the advertised PHP version on the server?

      "I doubt any serious admin is accurately showing the actual version they are running"

      It doesn't matter, this security through obscurity technique you're describing is so pointless. Have you thought about this technique to display any other version besides the latest version? If you have, which of what?

      You don't bother with version numbers or any kind of string something like phpinfo() prints, you just fire your best exploits. I've never see a reason why anyone would bother playing (duck/duck/goose) with strings, unless you want to waste time and pass up targets. Hell, doing this guarantees an extra log.

      PHP is a good scripting language though. I read back sometime in 2007 that one of the developers broke off and started listing security flaw after security flaw, but not out of angst, out of interest of seeing the language remaining a competitor. I know some PHP, but I'm not proficient (apparently I'm not alone :-/). I always found it super quick to pick up, but much less flexible with complexed tasks without making a huge plate of spaghetti, so I'd have to fall back to C for somethings (as usual). Still though, from the messes I've made in PHP without having clear alternatives of remedy in the language, I can see how many many holes go left unchained.

      1. Robin Szemeti

        Re: Seriously, he actually believed the advertised PHP version on the server?

        "It doesn't matter, this security through obscurity technique you're describing is so pointless. Have you thought about this technique to display any other version besides the latest version? If you have, which of what?"

        Dude, obviously I would be running the most up-to-date and secure version I can possibly find, I just don't see the value in advertising it correctly. I agree it adds little security, however my point was that basing research on figures that were based on data highly likely to be very wrong was probably not quite so bright.

      2. Anonymous Coward
        Anonymous Coward

        Re: Seriously, he actually believed the advertised PHP version on the server?

        "It doesn't matter, this security through obscurity technique you're describing is so pointless. Have you thought about this technique to display any other version besides the latest version? If you have, which of what?"

        The pointless thing is people who talk about security through obscurity being pointless. They're the ones who don't understand what that term means nor the fact that real security is done through layers upon layers of measures of varying degree of sophistication - all designed to obscure.

        I always wonder whether such people are employed by the NSA/GCHQ to dumb down developer's guard online on doing everything they possibly can to achieve security.

        Fire the best exploit you can? That's no more than spray and prey and that means the layer of obscurity achieved it's goal of frustrating you, delaying you (for however little time you may think it is) and over-time as the system is updated, keep you guessing. Unless you're so bad-ass of course to find a 0-day, which the majority of "hackers" aren't.

        PHP is as secure as any other "web" development languages. The ability to secure it lies with the people who makes and maintains the entire stack. The problem with PHP and other mainstream web development languages is it's too easy to learn, too easy to find off-the-shelf packages and plugins, too easy to make websites without understand what every single line of code does and without understand how the web truly works, too easy to be lazy. Thus you end up with a huge amount of amateur developers with limited abilities or computer science background working on PHP websites for companies who relies on these "professionals" to do a job.

        That said, this Google engineer's so called "research" is flawed even though it is generally true. No one in their right mind would rely on a single page blog post with no real datasets or details on how the data is obtained to make a real informed conclusion. Too many statistics are "obtained" and manipulated just to justify the writer's generalised conclusion.

        In fact, having read this person's blog, I wonder why it is even news worthy.

        1. TheOtherHobbes

          Re: Seriously, he actually believed the advertised PHP version on the server?

          > That's no more than spray and pray

          Most servers are pwned to make spambots, malware distributors, and DDos machines, so spray and pray works just fine.

          If your main concern is hackers targeting your everso important site because it's really everso important, those are not (usually) the threats you're looking for.

        2. Vic

          Re: Seriously, he actually believed the advertised PHP version on the server?

          That's no more than spray and prey[sic]

          Spray and pray is how the vast bulk[1] of exploits are used; they're bulk-fired from botnets. I'm currently getting a metric fuckton of it from Argentina - and, having taken no significant part in the Falklands Conflict, I'm pretty sure that's not personal. It's just that botnet attacks are so cheap, that's what you get.

          PHP is as secure as any other "web" development languages

          The stats would tend to disagree with you there. PHP is an easy language in which to get stuff running quickly - but there are a number of jaw-dropping flaws in pretty much every release, and portability isn't that great, so you tend to have crap old versions still running...

          Vic.

          [1] There are obviously targetted exploits from assorted bad guys - but these are a minority of attacks.

      3. h4rm0ny

        Re: Seriously, he actually believed the advertised PHP version on the server?

        >>"It doesn't matter, this security through obscurity technique you're describing is so pointless."

        You've missed the point. No-one is saying that. The point is that this person's research on how many servers are vulnerable (and to what) is based on published version numbers. When disabling or altering the published version information is standard practice.

    3. streaky

      Re: Seriously, he actually believed the advertised PHP version on the server?

      I loosely know Anthony aka ircmaxell in an IRC context, if he wasn't hiding I'd be saying this:

      Backports, backports, no seriously, backports...

      The methodology is sketchy at best in the context of most people will be running distro-installed versions with security fixes backported into what are at face value older "insecure" versions - and there's no reliable way to measure this, which is why one doesn't ordinarily bother. Don't get me wrong there's probably a lot of insecure PHP installs but the version doesn't have to be misreported for the secure/not secure data and drawn conclusions to be *wildly* incorrect.

    4. Destroy All Monsters Silver badge
      Windows

      Re: Seriously, he actually believed the advertised PHP version on the server?

      it's long been standard practice to report completely different Apache, PHP, OpenSSL etc variants in the server banner

      .... Seriously? Home hacker scene, ahoi!

      Next up: hanging hare's paw on the server room door.

      1. Anonymous Coward
        Anonymous Coward

        Re: Seriously, he actually believed the advertised PHP version on the server?

        "Next up: hanging hare's paw on the server room door."

        Not only did you beat me to it, but your answer is completely bulletproof! Gongrats! (You really can tell when someone has dealt with security!)

        P.S. Mine was was to post a Tweet that said "NO" every time my server was asked if it's hackable...but blood is much better! (Plus I didn't want to have a Twitter daemon :-/ ) Happy New Year!

    5. Charlie Clark Silver badge
      FAIL

      Re: Seriously, he actually believed the advertised PHP version on the server?

      I doubt any serious admin is accurately showing the actual version they are running,

      Oh, holy fuck! If you start messing around with version numbers for that kind of shit you really will have problems.

      Distros may choose to backport security fixes to older versions (though there are plenty of cases where that isn't really possible) in which case they may manage their own patches but otherwise the version number is the only way to know if you're secure or not. The hackers don't bother checking version numbers, they just use brute force vulnerability/feature detection as anyone who's ever read an error log will know.

      1. Ben Tasker

        Re: Seriously, he actually believed the advertised PHP version on the server?

        I doubt any serious admin is accurately showing the actual version they are running,

        Not to pile (too much) on the hate you seem to be getting - but a serious question...

        Did you also remember to turn off PHP's 'Easter eggs'? If not, then with a single URL I can tell which version of PHP you're running without needing to resort to the idiots method of last resort (spray and pray) or rely on the version headers.

        As others have said though, if all else fails, brute force will find its way through to whatever version you're using.

      2. h4rm0ny

        Re: Seriously, he actually believed the advertised PHP version on the server?

        >>"Oh, holy fuck! If you start messing around with version numbers for that kind of shit you really will have problems."

        Before leaping in with conclusions, make sure you understand what is being talked about. It's a config setting in Apache that decides whether or not it will accurately report version numbers to a requesting client. It's not messing with actual version numbers or what will be reported internally. It's override for external requestors. What the OP is talking about is very common practice.

    6. Michael Wojcik Silver badge

      Re: Seriously, he actually believed the advertised PHP version on the server?

      I doubt any serious admin is accurately showing the actual version they are running

      You might find it eye-opening to survey some of the great many cheap hosting sites that offer PHP, then. Most of the ones I've seen operate on the "install a default configuration and forget it" principle.

      Of course, that may not qualify as a "serious admin" by your definition; but in that case serious admins are a rare breed.

  4. Anonymous Coward
    Anonymous Coward

    Did the writers consider that perhaps many PHP installations are blocked from upgrading because the upgrade is likely to break whatever's running at the time, resulting in unacceptable downtime? Meaning the IT guy's caught between Scylla and Charybdis: either enforce the update and explain the likely-extended downtime and lost revenues to Accounting or keep the system running and risk pwnage and potential lawsuits?

    1. Jolyon Ralph

      > either enforce the update and explain the likely-extended downtime and lost revenues to Accounting

      Congratulations. You've just described what an IT Manager's job role is. If your IT Manager is NOT doing this then they don't deserve the job.

      1. Vic

        You've just described what an IT Manager's job role is. If your IT Manager is NOT doing this then they don't deserve the job.

        IT Managers don't do this. Their job is primarily to say "no" to the BOFH's security suggestions. And then to tell upper management that it is the BOFH's fault that they pwnage happened.

        Their secondary function is to fall down lift shafts. But far too few fulfil this function.

        Vic.

    2. vagabondo

      Surely the first/routine port of call is to apply the security patches. Version upgrades are primarily to add new features.

      This article's failure to understand how security issues are routinely addressed in the OSS world leads me to doubt its usefulness about anything. Is it really about selling W3 Tech's products?

  5. Anonymous Coward
    Anonymous Coward

    "Did the writers consider that perhaps many PHP installations are blocked from upgrading because the upgrade is likely to break..."

    Well, there's problem 1.

    "...revenues to Accounting..."

    Problem 2.

  6. Khaptain Silver badge

    And the alternative is ?

    PHP is popular because it is good.

    What are the real alternative 'secure' solutions, that wont break eveything when upgrading, that are maintained regularly and that are human readable?

    IIS, Java, Perl, ActiveX, Flash ?

    ( Flash and ActiveX are just there for giggles please dont take seriously, even though some of you might)

    1. Anonymous Coward
      Anonymous Coward

      Re: And the alternative is ?

      Just because PHP is not as dire an atrocity against the concepts of sane programming as some of the alternatives (such as Java) it doesn't make it good. If you think PHP is good you are very much a part of the problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: And the alternative is ?

        If you can't offer a viable alternative that's not as riddled with holes, then you're part of the problem behind the problem. IOW, the problem is that PHP is riddled with holes. The problem behind the problem? It's still the best option on offer...short of going static, which is usually not an option. The way it's being put, you got four drinks: arsenic, strychnine, ricin, and cyanide. Pick your poison...

        1. breakfast Silver badge
          Facepalm

          Re: And the alternative is ?

          It's not the best option on offer, having worked with a lot of web programming platforms I can promise you it is as close to the worst as you can get without being old ASP with VBScript, but it is passably quick, easy to get started with and offers cheap ubiquitous hosting.

          A little like JavaScript in the browser, PHP is an awful language that you can run on servers everywhere. It's actually a bit more awful than JavaScript, which at least has a programming language at its core, but the price is right so it gets used very widely.

          One of the major downsides, which this article alludes to, is the way that PHP updates tend to break the existing behaviour of the platform, so migrating an application to a new version is a non-trivial activity as you need to go through a very in-depth QA cycle to be confident that there are no changes that will wreak havoc in your codebase.

        2. h4rm0ny

          Re: And the alternative is ?

          Python.

          Why did you leave that off your list of other options?

    2. Frumious Bandersnatch

      Re: And the alternative is ?

      PHP is popular because it is good.

      Nah, I don't think that it's because it's good, but because (IMO) it's relatively easy to write code in, has good documentation, the feature set is well-suited to the task of web programming and its syntax is easy for people to get to grips with (somewhat like Basic or Pascal). It also seems to be be the sort of language that appeals to managers in that the code is fairly easy to understand and maintain so you can treat programmers as a fungible resource.

      The security problems tend to be more with the server than the code itself (at least historically), but as with any web programming language, developers still need to be aware of the basics of writing secure code in the first place. So no insecure "eval" statements or calls to external programs, always assume that user-supplied data is hostile and always use prepare/execute instead of naked SQL queries. I'm sure that there are other common security pitfalls, but I'd guess that the majority of them stem from those three points.

      As for me, I much prefer Perl. I dislike the verbosity of PHP, but the main reason that I think that Perl is better is down to the -w and -T options. Perl is much better at helping you understand the unintended consequences or potential bugs in your code. Taint checking in particular makes it very hard for you to write insecure code, since it won't even let you run the thing if it detects that you're not sanitising your inputs correctly.

      I've never used IIS or ActiveX, so I can't comment. I don't think that Java or Flash are even real competitors due to (a) needing browser plugins and (b) those plugins having a terrible history of insecurity.

      1. Khaptain Silver badge

        Re: And the alternative is ?

        @Frumious

        "Nah, I don't think that it's because it's good, but because (IMO) it's relatively easy to write code in, has good documentation, the feature set is well-suited to the task of web programming and its syntax is easy for people to get to grips with (somewhat like Basic or Pascal). "

        Doesn't your argument give weight to the fact that what you just described is actually what most people want from a language? For me, that would be the definition of good.

        Of course it is also possible to use to use synatically more difficult languages, or more precise yet difficult to read but what is there to truly gain from that... The web for example requires very dynamic languages that are quick to program.

        I coded in assembler for a year or so and as much as I enjoyed what I did, I would not class it as a good language to program in ( although it is excellent for certain tasks, I was hooking and chaining interupts at the time)

        1. Frumious Bandersnatch

          Re: And the alternative is ?

          Doesn't your argument give weight to the fact that what you just described is actually what most people want from a language? For me, that would be the definition of good.

          LOL. Yes, kind of. I guess it is a good language overall, but it's not a patch on Perl, IMO. I just find PHP to be too verbose and boring to actually like it. I think that the original context was about being good for security, among other things, and as I said, Perl's -w and -T checks put it head and shoulders above the competition.

          Mind you, maybe I'm a bit perverse in my (programming) tastes. I love constructs like Duff's Device and the Schwartzian Transform and have been known to use them when appropriate.

          1. PJI

            Re: And the alternative is ?

            I do not see that Perl's "-t|-w" flags and similar kludges makes it good. If it was really good, they would not be needed as the basic system would catch the risks. I keep encountering clever Perl wrappers that come up with the sort of warnings that "-w" would have flagged. But because Perl can be somewhat awkward, the author just ignored the risks and released the code.

            I've done some interesting and useful jobs with Perl, from small to many thousands of lines. But my recent small-scale use of Python is changing me into the equivalent of the smoker who has given up smoking. This was promoted by more having to read other people's Perl to try to work out what was going on.

            My experience with PHP is limited and out of date. But as I recall, the attractive bit is that it is easy to write pretty, screen-orientated stuff. A bad bit, as with Perl, is that object orientation is forced into it clumsily and relying almost entirely on the consistency, understanding and self discipline of the programmer.

            However, I do agree that a language should, like Pascal, be reasonably straightforward to read and write, secure and well documented. Both Pascal and C appeal to me as they are small enough (or at least the first couple of Cs were) for one to have the whole syntax in one's head, small, efficient. C++ and Java fail because one needs to know not just the syntax (which in C++ is big enough) but the scores of different class libraries to get even basic things done, each with a big rivalling the bible, but much more obscure.

            1. Anonymous Coward
              Anonymous Coward

              Re: And the alternative is ?

              > Both Pascal and C appeal to me as they are small enough

              Don't know about Pascal, but the C99 standard is 558 pages long of densely packed information. I'm not sure I would call that "small enough", unless you happened to be one of the hardcore regulars over at comp.lang.c. :-)

              1. Michael Wojcik Silver badge

                Re: And the alternative is ?

                Don't know about Pascal, but the C99 standard is 558 pages long of densely packed information. I'm not sure I would call that "small enough", unless you happened to be one of the hardcore regulars over at comp.lang.c.

                Still a hell of a lot shorter than the C++ standard. (C++11 is like three times that long.1) And the significant part of the C99 standard, for most purposes, is less than 400 pages long, once you exclude the introductory stuff and the non-normative annexes. The actual language specification is only 135 pages, and the standard library less than 250 pages.

                I'm not sure I'd call it "densely packed", either, since a substantial portion of the text on most pages is headers, forward references, and the like. Typically the substantive information is broken down into lists of short statements, so you don't have to wade through paragraphs of legalistic prose.

                But then I confess that I used to be a regular on comp.lang.c, so I'm biased.

                1Even the COBOL 2002 ISO standard is only 860 pages long - a bit more than half the length of C++11. And COBOL 2002 includes all the ISO OO COBOL support, including the standard class framework. You think COBOL's verbose? The C++ committee will show you verbose, baby.

              2. PJI

                Re: And the alternative is ?

                I did specify the first couple of C editions, up until the first ISO release or thereabouts. I did review some C written in the latest variant, recently and was a bit saddened at its bloat. Nevertheless, the older stuff still works and much of the new is not necessary nor often needed and some definite improvements are present.

                In comparison with Java or C++, C is still lean and keen, with a practically useful core such that the K & R (plus sets, I like sets) still stays in one's head with quick man page references sufficing for the fine details of library calls.

                As I said, for higher level stuff, I am almost sold on Python (>=2.6, probably < 3.0).

                1. Vic

                  Re: And the alternative is ?

                  I am almost sold on Python (>=2.6, probably < 3.0)

                  >>> def foo(item, list=[]):

                  ... list.append(item)

                  ... print list

                  ...

                  >>> foo(2, ["one", "sheep", 6])

                  ['one', 'sheep', 6, 2]

                  >>> foo("arse")

                  ['arse']

                  >>> foo(2, ["one", "sheep", 6])

                  ['one', 'sheep', 6, 2]

                  >>> foo("arse")

                  ['arse', 'arse']

                  And let's not even get started on object destructors...

                  Vic.

        2. Anonymous Coward
          Anonymous Coward

          Re: And the alternative is ?

          Doesn't your argument give weight to the fact that what you just described is actually what most people want from a language? For me, that would be the definition of good.

          No, not really. Do you consider VB6 or VBA good? That they are easy to use is without question. That you end up with non-programmers writing shite code also. This is part of the problem that PHP also suffers from - SQL injection attacks due to poorly constructed queries with unsanitised inputs. What people on this site need to remember is that they are the exception, not the norm. There will likely be a large number of PHP writers out there, much like VBA, constructing utter crap that is an accident just waiting to happen.

          1. Ben Tasker

            Re: And the alternative is ?

            I was spitting feathers recently, having looked over the output of a development team and found such things as

            $result = mysql_query("SELECT foo FROM bar WHERE id=".$_GET['id']);

            In this day and age, how can people not know better?

            Mind you, it does seem a little unfair to judge the language for that. As you say, it's biggest sin is that it's incredibly easy to learn. If the type of person that does the above could write C they'd still do the same thing.

            There were also some other beauties within that code review, but I won't bore you as it might just push my blood pressure beyond breaking point.

            The joys of being brought in on a project way too late eh?

            1. Greg J Preece

              Re: And the alternative is ?

              I've seen unsanitised inputs in raw SQL in PHP, sure. I've also seem that in Java (bypassing Hibernate to do so, no less), and myriad other languages. Shitty coding is as shitty coding does.

              1. Anonymous Coward
                Anonymous Coward

                Re: And the alternative is ?

                "bypassing Hibernate to do so, no less"

                Bypassing hybernate is not a bad thing - it is the only way to get sane interaction between the program and the database. Otherwise hibernate will decide it is a better database than the database, construct an outer join between two unrestricted sub-selects, and then filter that - which will result in a full cartesian product before filtering. Once you have more than a few hundred records in your tables it will take hours to get nowhere, and then crash when it depletes all available memory to store the data set it just fetched.

                Hibernate and just about every other database abstraction layer is unfit for purpose, and anybody using them is clearly demonstrating that they should be going to the institution that "taught" them programming and demand their tuition fees back.

                This is an unfortunate consequence of living in a world where everybody who thinks they can write "Hello world!" in HTML considers themselves a "programmer".

                1. Greg J Preece

                  Re: And the alternative is ?

                  Hibernate and just about every other database abstraction layer is unfit for purpose, and anybody using them is clearly demonstrating that they should be going to the institution that "taught" them programming and demand their tuition fees back.

                  This is an unfortunate consequence of living in a world where everybody who thinks they can write "Hello world!" in HTML considers themselves a "programmer".

                  AC got condescending fast. Abstraction/ORM layers aren't perfect (and Hibernate sure as shit isn't) but they're a useful tool for people looking to get stuff done and have that stuff be redeployable. It's a side effect of us not all achieving your god-given perfection. If no "real" programmers use them, you might want to chat about that to...well, pretty much every application I've coded against in the past ten years. A real programmer is aware of the limitations of the frameworks they utilise, rather than casting them all aside and reinventing the wheel with every project.

                  Or you could quit being such a snobbish twat, but I doubt that'll happen.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: And the alternative is ?

                    @Greg J Preece

                    "If no "real" programmers use them, you might want to chat about that to...well, pretty much every application I've coded against in the past ten years."

                    I rather doubt that it would be possible to chat to the applications in question. Even if they were to achieve sentience the response time and memory requirements would not be tractable within my lifetime.

                    "Or you could quit being such a snobbish twat, but I doubt that'll happen."

                    I could. And you could learn how to program. Only the latter would be far, far, more difficult.

              2. Vic

                Re: And the alternative is ?

                I've seen unsanitised inputs in raw SQL in PHP, sure

                I saw a "recommended" Python MySQL library doc claim that MySQL doesn't support prepared statements, so the library doesn't either. The former has not been true for many years. The statement as a whole was part of the reason I removed that library from all our code...

                Vic.

              3. Anonymous Coward
                Anonymous Coward

                Re: And the alternative is ?

                I've seen unsanitised inputs in raw SQL in PHP, sure. I've also seem that in Java (bypassing Hibernate to do so, no less), and myriad other languages. Shitty coding is as shitty coding does.

                I haven't seen it all I'll admit, but I've seen bad code in a few languages…

                - C

                - C++

                - JavaScript

                - Java

                - PHP

                - Python

                - Perl

                - BASIC

                You can write bad code in any language. Writing good code requires discipline. Some people have it, some do not. Throwing abstraction layers isn't going to magically make you a better coder. Doing so might encourage some habits (some good, some bad) and design patterns which may help make your code a little more understandable, but they're no silver bullet.

                Coding for the big bad Internet means you have to be mindful of what you don't want the server to do as much as what you do want it to do.

            2. Anonymous Coward
              Anonymous Coward

              Re: And the alternative is ?

              > having looked over the output of a development team and found such things as $result = mysql_query("SELECT foo FROM bar WHERE id=".$_GET['id']);

              Ah, I guess that explains the gunshot sound I heard the other day coming from the back of the building.

        3. Tom 13

          Re: that would be the definition of good.

          I'm not a professional programmer, just a help desk jockey. Back in the day I learned some BASIC. I like it for the reasons outlined for PHP (which I've never used).

          I've never heard a professional programmer describe BASIC as "good".

          It seems to me that to be a good language, beyond being easy to understand and performing the tasks required for your objectives, it has to have enough structure under it to prevent common mistakes. You can argue that's more of a compiler problem than a language problem, but some languages invite problems that others don't. For example, I've always been told BASIC is one that invited unnecessary problems because of its GOTO statements and how it leads to spaghetti code.

        4. Anonymous Coward
          Anonymous Coward

          Re: And the alternative is ?

          > I coded in assembler for a year or so

          IMO anyone who's coded in assembler deserves an upvote, so here you go. :-)

          (I did teach myself, and tinkered a bit with, 8086 assembler a log time ago, but that was only to educate myself as to how the code I write actually does its magic)

          1. Vic

            Re: And the alternative is ?

            IMO anyone who's coded in assembler deserves an upvote

            I started programming in 1802 assembler. I still believe it's useful to have an understanding of how processors work at that level[1], but to put it bluntly, most compilers do a better job than hand-crafted assembler[2] these days, so it's no longer the bdge of office it once was.

            There are certainly programming languages that should be avoided, but of the rest, it's important to pick the one that fits the job spec best, not the one you like most.

            Vic.

            [1] For examp;e, I've lost track of the number of coders I've met who claim that floating-point operations are more accurate than fixed-point. Floats give you dynamic range, not accuracy...

            [2] I worked on a processor a while back where we wanted to get the application code available at the same time as the silicon. So we wrote a wrapper layer whereby you could call pseudo-functions that would emit assembler directly if you were building for the target, or else call a library function if you were building for a development host. What was surprising was the amount of optimisation that the compiler would do on that code if you built for the dev host - it often gave insight into how to optimise the code for the target, leading to dramatically faster code...

        5. Vic

          Re: And the alternative is ?

          Doesn't your argument give weight to the fact that what you just described is actually what most people want from a language?

          That depends on what you're after.

          If you want average code monkeys to deliver something that works, then yes - it is.

          If you want stuff that is accurate, correct, and secure - then no, absolutely not.

          The trouble is, the former seems to be the "popular" outcome required. And that's why there's so much shite code around :-(

          Vic.

    3. lambda_beta
      Linux

      Re: And the alternative is ?

      Please ... it's like saying Windows is popular because it's good. Or wars are popular because it's good ..... etc. etc.

      1. Khaptain Silver badge

        Re: And the alternative is ?

        "Please ... it's like saying Windows is popular because it's good. Or wars are popular because it's good ..... etc. etc."

        Now that was a very poor attempt at trolling, do you also read the Daily Mail.

        PHP is not imposed on anyone........... Web programmers have a plethora of choice.

    4. This post has been deleted by its author

    5. Anonymous Coward
      Anonymous Coward

      Re: And the alternative is ?

      "PHP is popular because it is good."

      No, it's popular because it's "free" - assuming your time has no value.

      "What are the real alternative 'secure' solutions, that wont break eveything when upgrading, that are maintained regularly and that are human readable?"

      IIS + .Net is very secure and easy to work with these days. Especially in the latest Server 2012 R2 - which fixed a bunch of long standing issues - like high end SSL scalability, cert management and similar for hosting thousands of sites on a single OS image

      IIS is also statistically much less likely to be successfully attacked / hacked than LAMP stack based solutions - especially when comparing default installs without applying expert security skills to lock them down. Upgrades / security patches are also almost always non code impacting - even across major versions.

      But of course Windows Server requires a license fee. So you takes your choice of "free" and potentially time consuming issues, 'spray and pray' forum type support and poor security or "pay" to get an often more reliable / secure product in IIS with professional support with an SLA. These are of course generalisations and it may vary depending on your specific use case.

    6. Charlie Clark Silver badge

      Re: And the alternative is ?

      I like Python because the code almost always remains readable. Lots of web frameworks to choose from. YMMV.

  7. James R Grinter

    headlines vs. details

    But not every vulnerability in every version is going to be "active" in every installation of it. The one where executing PHP scripts via CGI were vulnerable to attack is not going to apply to anyone using mod_php or php-fpm, for example.

    Not to defend PHP (it sure has its issues, and it certainly lets people do stupid things), but there are plenty of poorly written applications, or large complex and evolved applications (such as Wordpress), or very widely deployed applications (such as Wordpress) that offer plenty of scope for attack and would do so whatever languages they were implemented in.

    1. Anonymous Coward
      Anonymous Coward

      Re: headlines vs. details

      That, and many "security researchers" only compare the version number in the webserver's banner against a database, without taking into account backporting policies of a particular distro. RHEL-based setups would report the same version for years, because that's the feature level of the PHP version they offer. However, they are damn quick in backporting security fixes. Those outside scans can't possibly know which package version somebody is running, unless they do some more indepth testing against known vulnerabilities. The version number as such is extremely misleading. You can't conclude that it must be insecure based on that. But for example Trustwave, who I had the pleasure to deal with while working for a huge corporate client, do just that. (Others may or may not do the same mistake.)

      As for 5.3.29, I wonder if its popularity has anything to do with AWS. Amazon Linux (formerly a CentOS clone/fork, but nowadays has very little to do with it apart from using yum) uses 5.3.29. I'm pretty confident that they have some sort of backporting policy too, but I couldn't find any useful documentation on that.

  8. The Vociferous Time Waster
    Trollface

    More secure than IIS

    it's open source so it is more secure than closed source security through obscurity bloat ware because anyone can inspect the source code and submit fixes

    Or at least that's what I was told

    1. Anonymous Coward
      Anonymous Coward

      Re: More secure than IIS

      "Or at least that's what I was told"

      You must have missed the recent Bash and SSL vulnerabilities. That Open Source is somehow more secure because you can see the code is clearly bollocks. If anything it makes life easier for a well funded attacker.

      1. Greg J Preece

        Re: More secure than IIS

        Except that in the major OSS vulnerability alerts, the vulnerabilities are usually found by researchers..... You know? People reading the code and recommending fixes?

        It's almost like finding problems before hackers do, providing immediate fixes and then doing your best to alert everyone to them is a cornerstone of why OSS software remains secure.

    2. Michael Wojcik Silver badge

      Re: More secure than IIS

      Troll harder, or don't troll at all. You're embarrassing us.

  9. heyrick Silver badge

    The latest releases of PHP 5.4, 5.5, and 5.6 are all thought to be secure.

    all thought to be secure ? He actually wrote that?

    You mean you think they are "safe" (term used loosely) today. Tomorrow may be an entirely different story...

  10. Anonymous Coward
    Anonymous Coward

    Invalid

    The only reason newer versions are more secure is that the vulnerabilites have not been found yet.

    This applies to any software.

    By the way, what percentage do you get for all Microsoft software ? 100% insecure?

    1. Anonymous Coward
      Anonymous Coward

      Re: Invalid

      "By the way, what percentage do you get for all Microsoft software ? 100% insecure?"

      What planet are you on?!. Microsoft's webserver, .Net and database software has had very few security vulnerabilities in recent years. Significantly fewer than say a LAMP stack.

  11. cruiskeenconsulting

    No, this seems to show a great misunderstanding of how software versions work on production Linux distributions.

    Production oriented distributions do not change version numbers for software servers while staying in the same OS release. Thus, if you're running Red Hat or CentOS or any number of other distributions, the latest supported release of PHP is ALWAYS the version that was released with the operating system, and security fixes are back-ported to that version. Thus a server that is running PHP 5.2 will (assuming the admin is actuallly installing patches) have all the newest security fixes - but will still be PHP 5.2. Upgrading PHP versions willy-nilly will make one's support customers crazy as their web sites break at every upgrade.

    This "study" comes to its conclusion mostly by not understanding how OS distributions and web host providers actually operate in the real world.

    1. Ben Tasker

      I initially thought that, but if you read the linked article, they've taken that into account.

      For example, they've noted that RHEL/CentOS 6 backports to PHP 5.3.3 and so any server reporting 5.3.3 is considered secure.

      If anything they've skewed their results the other way (i.e. if I'm running Debian, 5.3.3 probably means I'm insecure).

      TFA doesn't exactly make that point clear though......

      1. Tim Brown 1
        Facepalm

        Insecure how?

        There's no reason why you have to stick with the version of PHP provided with your OS release. It's particularly easy for Debian users to stay up-to-date with the latest PHP releases by using packages provided by dotdeb.org for this and other important software.

        As far as the article goes it would have been nice if we'd had a definition of 'insecure' in this context, it obviously doesn't mean 'easily exploitable to get root'; since if things were really as bad as the author suggests, nearly every server on the internet would have been hacked.

  12. Skymonrie

    nothing to see here

    That a public facing service is is exploitable is nothing new, this article should have really tried to make people aware that you get what you pay for in most cases and paying £1 to deploy and host a WordPress site is not going to get you professional services even though as many have said, "old" versions of PHP will have patches back ported.

    i think in this, the most important is that generally speaking, The easier something is to use, the more complex it is under the surface and complexity brings issues. Things like wordpress have their place in the same way that motorbikes/cars/electric vehicles have theirs and the advantages/caveats that come with them.

    Happy new year and keep up the good work! The Web is better by a long way than it was a few years ago and there will always be new problems

  13. Richard Lloyd

    expose_php=off

    I wonder how many installs run expose_php=off in their php.ini, therefore hiding the PHP version and mucking up these stats? As people have said, the latest three (5.4/5.5/5.6) PHP stable releases have all had security fixes, but the researcher claims that they're now magically "secure"? Er, they've just had a few security holes removed from the likely hundreds they still have!

    Better research might have determined exactly which PHP versions have a proof of concept/active exploit that is deemed serious and then list the percentages of sites running those versions.

  14. vordan

    PHP is usually way behind the web server...

    1. Vic

      PHP is usually way behind the web server

      No, it isn't...

      Vic.

  15. El Zorro

    Suhosin

    Presumably this research would also not be able to determine whether Suhosin was enabled on an otherwise vulnerable php installation.

    Many ISPs and distros install it by default because it reduces the number of attack vectors by a significant margin.

  16. razorfishsl

    Today I found a major new customer is running Ubuntu 5 on all its web facing production servers....

    (as the IT guy pointed out.... when we run update there is nothing to be updated....) (mental note to self... strong kicking in the nuts needed)

    Security by obscurity........ but at least the PHP is secure....

  17. smartypants

    PHP isn't a language.

    Dilbert's law predicts that in any discussion about PHP will inevitably result in the presentation of the hallowed sql injection exploit.

    We are all then supposed to sit agog that such a language allows such a thing. But this is silly.

    PHP isn't a language. It's a toolkit of practical technologies which has evolved over time to perform an ever broadening range of capabilities, and in order to get the most out of it, you need to be aware of the pitfalls and current best-practise. In this regard, PHP is no different from much of the web stack - most of it open source - most of it bleeding edge.

    Javascript is arguably the most important programming 'language' though in itself it's practically useless because you quickly end up utilising a rich stack of other technologies to implement your system, and those technologies are riddled with flaws, inconsistencies and so on. Should we all shake our heads in knowing horror or do we just get on and build things?

    Life's too short for yet another whinge fest about this language or that.

    1. h4rm0ny

      Re: PHP isn't a language.

      PHP is a language.

  18. Anonymous Coward
    Anonymous Coward

    I wonder...

    ...how many of those are RHEL or CentOS servers which report low version numbers that don't indicate the back-ported bug fixes?

    1. James R Grinter

      Re: I wonder...

      I'm wondering how many know they're not relying upon (php-cgi seems to have been the main recent weakness) and keep an eye on each CVE to assess the risk and urgency of updates. it can't just be me?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like