Sunday, December 2nd, 2012

Why I personally refuse to go back to PHP

Take this post how you will, since this is based on my own personal opinion, and I really don't really care what server-side language you prefer.

Many moons ago I was a huge PHP Advocate, and nothing could absolutely sway me away from this language. I was able to develop many different types of websites and web applications with little issues whatsoever. I was using PHP before MVC frameworks for the platform really made a large impact, such as CakePHP. As a result, my source code files tended to become difficult to manage after a long development period. This was also partly due to my attempts to keep my source files out of the main web public directory, so they wouldn't be directly accessible. Which around this time I began to see the security implications of using files as web resource pointers, seeing many websites being hacked due to poorly implemented code. To perform this task, I used the Apache mod_rewrite to rewrite the URLs so that the PHP files themselves were not directly exposed, and all requests went through a single PHP file which routed each request. I do believe this is now how CakePHP and similar frameworks are doing it, but since I've never touched those frameworks, I cannot say for sure.

All of this attempting to keep my source files out of the public web directory caused my code to be difficult to maintain and move around from one server to another. Soon after I began to look into other languages to see if they provide a native way to map resources to application code. I looked at both Ruby and Python. I created a command-line application in both which do the exact same thing, and enjoyed the overall syntax of Python over Ruby. Soon after I began to learn how to build Python desktop applications using GTK+ and Qt3. I did not immediately try to build websites/web applications using Python.

During the time while I was working with PHP, I did touch base with Zope, but did not code in Python, since I did not know the language at the time. Instead, I used the template engine to build some simple websites and really did enjoy how Zope mapped URL resources. I do believe this was my first urge for attempting to serve PHP websites without publicly serving the PHP files themselves.

A tough move...

When I first began to develop websites using Python, it was rather scary! For some reason, it was very difficult to embed Python code with my HTML, and I was unable to spaghetti my source code to do things I was used to doing in PHP. This was my first leap into a REAL language, and not a template engine(which I see as PHP is now). I wasn't used to all these new methods of developing a website, and at first it was a very difficult transition, and many times I wanted to go back to mixing source code and HTML in the world of PHP. But I held on, and kept on trying, and knew that sooner or later it will pay off. Since I came from the world of PHP, I first used mod_python in Apache, which had a template engine called PSP or Python Server Pages. For the most part, this allows me to continue mixing source code with the output HTML. Soon after I dived deeper into mod_python and began to write handlers. Since I classify myself as a programmer, I really enjoying learning new things and trying new things in programming. Apache mod_python handlers were rather powerful and extremely fun to play with.

From my personal experience of moving from PHP to Python, I personally see PHP a language which most web programmers begin using, due to the affordable hosting plans, large community, and plenty of existing applications written for it. PHP even attracts non-programmers who just want a website up and running, since most web hosts provide single click installers for most of these. Depending where your from in the world, PHP is also called a Toy language. This one is actually new to me, while originally writing this article I went through many online videos of various conferences where developers talk about their experience with PHP. This is also why this article was prematurely released, as some may have noticed. I got so distracted with the videos that I completely forgot about the article and it past it's publication date. So many readers may have read only the first few paragraphs of this article as a result.

While I was programming in PHP, I noticed after moving over to Python, how awful a coder I actually was. Since PHP is very lax and doesn't automate much of the web(which it should for the sake of new programmers to not have their apps hacks from poor form sanitation skills), this can lead PHP into being the Windows of web programming languages. Essentially, since it is the most widely used server-side scripting language, and it is very easily accessible on many web hosts, you will see it being abused for immoral purposes such as infecting servers and PCs with spam, malware, and other fun stuff. You rarely, if ever see a spammer using a Python or Ruby environment for their social engineering needs.

After I started to work with Django, I began to learn and understand very essentially server-side coding skills, which I never applied to my PHP applications. Yes, Django does apply lots of nice magic for web programmers, such as form validation and sanitation, cross site scripting protection and lots of other nice security protections. Stuff that I basically never need to worry about for the duration I use Django to build websites. After seeing this type of magic, it makes me wonder why languages such as PHP don't automatically provide these security protections for their web programmers. PHP was made for the web, but expects developers to just know about every security vulnerability out there. If your just starting out and learning how to do server-side programming, odds are you won't understand much of these security vulnerabilities, let alone have the proper programming knowledge to solve them effectively... For the sake of a good chunk of PHP's userbase, please make an option in PHP to enable such security protections for the sake of all the Internet users out there. The last thing I want is my personal information stolen from some stupid SQL injection attack a so-called programmer thought wouldn't affect their PHP script. I purposely avoid websites built using PHP due to fear of my personal information not being properly secured by a PHP coder.

This isn't to say Python has no such faults, but at least in Django, your forced to use tested and tried security practices. Sure, you could disable CSRF protection, but why? You could manually get and validate the data in the GET/POST data, but why? Django just makes it easier right from the get-go to do things right and avoid data leakage or a hacked website in the future. Oddly enough, although PHP is built for the web, it seems to lack common knowledge of the latest security issues threatening server-side scripts.

There you have it

I'm sure these awesome PHP frameworks like CakePHP are doing what Django does to prevent server-side script abuse(At least I really hope so). If not, then I figure the only point of using such a framework is for MVC.

For a better understanding of why serving PHP files directly from the public web tree can be insecure, take this short scenario: A PHP script is developed to handle a simple task of uploading a file, however the programmer didn't take every possible user action into consideration... An evil user comes to this script one day and attempts to hack the script with a fake upload which uploads a PHP script for his evil bidding(this is how most web hosts are attacked in one form or another, and having the host run unauthorized code). This evil script can do anything that user can do, and say if the server isn't correctly secured may allow this evil doer to take full control of the server itself and add it to his botnet.

For the most part, this scenario is utterly impossible to perform under Python, even if the Python script allows Python files to be uploaded, it will be very difficult to have the FastCGI or WSGI process reload all it's Python source code to actually use it. On top of that, the source file will also need to be imported and correctly called from the main application. Unless this evil doer understands the structure of your application and can re-write your main application to call his code, his code will never be loaded into the servers memory. You see, PHP script files are executed entirely differently than a Python, Ruby, .NET, or Java program. Since PHP essentially loads like how a CGI script loads, besides the PHP interpreter being in memory, it makes it super easy to run unauthorized code on a server. Server-side languages like .NET and Java take it a step further than Python and Ruby, making it basically a requirement to compile the source code before it can be executed by the web server. It is this main insecurity of how PHP scripts are loaded that greatly turns me off from ever using it again. If someone could say make a special version of PHP that runs code in the same sense of how Python programs are run, then I may consider PHP again.

Comment #1: Posted 1 year, 7 months ago by Cameron Eure

I don't agree with you on PHP being insecure just because you can serve your application from the public web tree... There are so many ways exploit software, that relying on that example is a huge injustice. Just for instance, PHP's "type juggling" system makes it fundamentally insecure to compare password hashes with "==", because if one of the hashes begins with a hex sequence or "looks" like a number, PHP automatically converts it to an integer. And PHPs integer compare is inheritly weak. Running "php -r 'var_dump(11111111111111111111111111111111 == 11111111111111111111222222222222);'" evaluates to "true". So by leveraging this, you can essentially increase the odds of brute forcing a password, because things that /should/ evaluate to false will sometimes evaluate to true, when you craft input in a specific way. It's mind boggling how something so that's so fundamental is so incredibly broken and wrong in PHP.

Also, focusing on one scenario doesn't prove secureness; while Python can't be exploited in many of the ways PHP can, that doesn't mean it cant be exploited. Dictionaries in Python have now proved to be DDOS-able TWICE due to a weakness in its hashing scheme that allows an attacker to fabricate input which will cause hash collisions close to 100% of the time (Python dictionaries use linked lists for hash collision resolution, and the hash weakness allows you to force all elements into a giant linked list, millions of entries long). Python has had its share vulnerabilities, as have many popular Python packages, albeit, not to the degree of PHP. The biggest issue is most PHP devs just don't seem to know what they're doing when it comes to security.

If you do something stupid, it doesn't matter what language you use; you'll likely end up with problems, and sometimes exploitable security holes.

Comment #2: Posted 1 year, 7 months ago by Mathieu Comandon

I hate to be *that* guy but I can give you an easy way to make PHP just as secure as Python. I don't know anything about CakePHP but I've worked a lot with Symfony 1 and I'll assume that every web framework manage this issue in the same way : your code is served by a single file known by Apache, in PHP a index.php file and in python a wsgi script but every other file (images, css, js, user uploaded files) is served by your web server.

The key thing is to disallow execution of PHP script for user uploaded files, this can easily be done by adding "SetHandler None" to the location of your public, user uploaded files. Given that rule, Apache will act as a dumb file server except for your main controller.

Now, this is no reason to go back to PHP, Python is so much more enjoyable is every way possible. I've stopped doing PHP stuff for almost a year now and there's not one single thing I regret.

About Me

My Photo
Names Kevin, hugely into UNIX technologies, not just Linux. I've dabbled with the demons, played with the Sun, and now with the Penguins.




Kevin Veroneau Consulting Services
Do you require the services of a Django contractor? Do you need both a website and hosting services? Perhaps I can help.

This Month

If you like what you read, please consider donating to help with hosting costs, and to fund future books to review.

Python Powered | © 2012-2013 Kevin Veroneau