Re: is PHP less secure than Perl, Python, or Ruby?

This is a very old article. It has been imported from older blogging software, and the formatting, images, etc may have been lost. Some links may be broken. Some of the information may no longer be correct. Opinions expressed in this article may no longer be held.

walterbyrd wrote:

I honestly don’t know. But, I have seen articles and posts about how PHP is terribly insecure.

PHP is not inherently insecure, but because it’s very easy to write PHP, it has become rather a popular language amongst people with little, if any, formal training on how to program. Because of this, there are an awful lot of badly written PHP scripts out there; installing them may well open up your server to abuse.

Most security issues (in any language) arise from a failure to properly check user input. Programmers make assumptions that a particular bit of submitted input doesn’t, say, contain an apostrophe and then they feed it into a database. If a user accidentally enters an apostrophe where they shouldn’t, this may cause an error trying to insert the data into the database. If the user deliberately enters an apostrophe, and then some other specially crafted input, then they may be able to do malicious things.

Most security issues arise from programmers making assumptions when they shouldn’t. If you always check and double-check every variable before doing anything critical with it, then you’ve solved 9% of security issues right there. (90% of security issues are caused by users who choose easy passwords, or write their passwords on their forehead so that they can remember it. The other 1% are “miscellaneous”.)