Home > Bugs & Viruses > Major Security Bug in PHP Major Security Bug in PHP Submitted by Sanjaya Sugiarto 2004-12-21 Bugs & Viruses 16 Comments A serious bug in the popular PHP development language, which affects php versions prior to 4.3.10 or 5.0.3, can leave databases wide open to intrusion if the proper security steps aren’t taken. About The Author David Adams Follow me on Twitter @david_adams 16 Comments 2004-12-21 9:02 pm Please tell us WHY you are sure. Go on, give us a good read, matey. 2004-12-21 9:05 pm If they had open sourced .ASP we would not have had PHP !! —- PHP was developed even before ASP. so not true 2004-12-21 9:28 pm well, but if they produced something decent before php we would had avoided it! I hate php, sorry, I can’t stand stuff like this: Unused terminal symbols T_COMMENT T_DOC_COMMENT T_OPEN_TAG T_OPEN_TAG_WITH_ECHO T_CLOSE_TAG T_WHITESPACE State 282 conflicts: 2 shift/reduce State 611 conflicts: 2 shift/reduce 2004-12-21 10:28 pm i think of it as C without pointers 2004-12-21 11:14 pm I think of it as being crap. No namespaces, an object model that’s too sparse to be of use and that performs like a sloth on lithium if you try to use it. It’s easy to get started in PHP but it requires great discipline and effort to write anything worthwhile (of any scale) in it. 2004-12-21 11:28 pm “… it requires great discipline …” What’s wrong with that 🙂 2004-12-22 12:22 am Take that argument too far and you might as well argue that everything should be coded in assembler. Discipline is always a good quality in a coder but PHP a scripting language that threatens to make a horrible mess without constant watchfulness and awareness of the traps. Given that most PHP coders are newbies with no understanding of this, the results are often painful. Even halway decent projects like SquirrelMail are bogged down with atrocious code (and more bogged down by the poor performance of the poor object model). It’s a question of proportion. I prefer cars with manual gears to those with automatic transmissions. I feel more in control and they are more efficient if you drive at all well. But a regular car with a manual transmission is still a reasonable method of transport. A monocycle with only one pedal, on the only hand, is not a practical vehicle no matter how much discipline it requires to keep it upright. 2004-12-22 12:44 am PHP is good for small to medium scale web applications, sinced it is lightweight when programmed properly, every programming language requires discipline to be used efficiently. J2EE is good for large scale stuff, but I dont bother with asp, i dnt wanna be stuck to windows server 2004-12-22 1:19 am php should be used for what it is designed for — web scripting for simple to moderate applications. if you needed stuff like namespaces and better object oriented features, you’re welcome to use Java or .NET 2004-12-22 10:32 am By the list of your hates, it sounds like you’re trying to use PHP for something it really wasn’t designed. You’d be better off using J2EE. PHP is a great scripting language if you use it to solve the types of problems for which it was created. 2004-12-22 12:49 pm I don’t know so much here, but cannot Python do the same as PHP but using a more robust language, namespaces, modules and all that stuff…? How does PHP exceed Python? 2004-12-22 1:23 pm There’s currently a worm floating around which exploits a vulnerability in the dreaded PHPBB. All these PHP-related security issues are awesome… :/ 2004-12-22 3:00 pm PHP is a language that will instantly reveal your level as a programmer. It is easy to write poor code but it’s actually easy in every language to write poor code. No one uses PHP b/c it’s best with objects. Everyone uses it b/c it has one of the most straightforward syntax of modern scripting languages, excellent on the web, it’s fast, and has great documentation. 2004-12-22 3:07 pm J2EE is good for large scale stuff, but I dont bother with asp, i dnt wanna be stuck to windows server Try ASP.NET, it doesn’t have you stuck to a windows server, it can run on a linux server with Mono (for the time being). 2004-12-22 9:16 pm I also come from a c/c++ background and i have to say that i hate the dollar signs on PHP variables, it doesn’t matter how much discipline you have, you’re allways going to forget some stupid dollar sign. It’s even worse than pythons indentation (another pet hate). 2004-12-22 11:44 pm Everyone uses it b/c it has one of the most straightforward syntax of modern scripting languages, excellent on the web, it’s fast, and has great documentation. I avgree php docs are nice, and it’s easy to find on host services. I don’t think php synytax is any way better than the one of every other language except branf**k. And its performance is the worst of every other serious scripting language for all duties. And it can’t handle multibyte encodings. And oo performance is awful. Plenty of security issues too. The zend engine just sux, that’s it. I mean, please consider my previous post: it’s authors *don’t have a clue* on what the php5 parser is doing. It works by PFM. php was nice in the last century, it’s time is now passed, just like biplanes.