Why PHP is broken

Having worked with PHP for some time now, I have come to the conclusion, that it is broken in a number of ways. The reason for writing about this is that some of the points, I will come back to in a moment can and will harm innocent users. Others are just a pain in the ass when I have to make useful stuff utilizing the language.

General coding practices are out of the scope of this document.

I have chosen to split this text in two relating to the following topics:

Security related flaws

I have no doubt, that the PHP programmers had the best intensions when they designed the language. But it seems that their efforts to make the language easy to use for even beginners have a number of security implications.

When I first started writing stuff in PHP I found it a little ugly, that all the variables get turned into global variables as that is not what I was used to, having worked mostly with CGI scripts in C as well as Perl. While this is a nice feature at the first glance it has the side effect that any user can easily pollute your global namespace. Combined with sloppy coding practices (Which should not be taken lightly as the language is targeted at less skilled programmers) this can lead to various exploits.

More than one time I have seen code that assumed variables to be undefined when used the first time and proceeding happily at things like appending to an array or increasing a variable. However this will not be noticed because the default error reporting level is by default set too low.

My recommendations security-wise is to do the following upon starting a new PHP based project:

  1. Disable "register_globals"
  2. Enable "track_vars"
  3. Write a script called "init.php" or similar which is included in top of every page throughout the site, which sets error_reporting to 15 (Setting it higher will give warnings that are only useful to the PHP developers so that is not very useful) and then goes on to check if "register_globals" is actually turned off and dies if it isn't.

General mis-designs

The things that tend to annoy me the most are the features that are inspired by other popular languages such as Perl and C, but which the PHP programmers for some reason have chosen to do slightly different. One example of this is heredocs. Another is the syntactical notation of scalars, arrays and hashes. PHP uses the same notation as Perl some of the time and their own the rest of the time. Their own looks like Perl though, but has a different semantic meaning. Furthermore arrays and hashes are the same thing which is utterly stupid if you ask me.

Then there is the extension mess. Extensions in PHP are generally added by independant individuals without much coordination. The worst results of this are the various database interfaces which have nothing whatsoever in common. This can of course be worked around but not without hurting performance.

Another thing is "magic_quotes_gpc". It seems to cause a lot of confusion as well as broken code. Many people use addslashes all over the place even though "magic_quotes_gpc" is enabled because that is what security minded people have been telling them to do. Later they notice backslashes in the output from their database and add a lot of calls to stripslashes as well. The fact that "magic_quotes_gpc" only works with some databases makes it's existence even less justified. Of course if the database interfaces all had support for the use of placeholders escaping data to put it into SQL queries wouldn't be needed at all.

Conclusion

PHP has proved to be a very popular language and the weaknesses mentioned here has probably helped to that a great deal. It is however not neccesarily a good thing to have so many unskilled people writing code of which they do not understand the fundamental security concerns relevant in a hostile environment such as the web. Furthermore annoying skilled programmers knowledgable of other languages is a bad thing.

As a skilled programmer this is my viewpoint. Feel free to disagree.


Thank you for your interest in this subject.

Any comments can be sent to me at comments@borderworlds.dk.


E-mail Valid XHTML 1.1 Valid CSS!