PHP in Secure Environments

While PHP is by far the most popular framework for web development, according to BuildWith Trends (2011) its popularity is actually on a decline – the graph posted on the PHP.net website is from 2007. Newer technologies such as ASP.NET Ajax, Ruby on Rails, Adobe Flex and Microsoft Silverlight are gaining larger market share (BuildWith Trends, 2011). On the other hand, the PHP framework is being actively developed and supported therefore its popularity does not play a major role when discussing security of the environment.

When discussion secure e-commerce environment, in many cases the choice of the development language itself is not the major influencing factor in the overall security stance. In many cases, the hackers are targeting misconfigured or outdated services rather than trying to exploit vulnerability such as buffer overflow in the language interpreter (Verizon RISK Team, 2011). Moreover, Open Web Application Security Project (OWASP) Top 10 web application security risks highlight the fact that majority of exploitable vulnerabilities are related to the web server such as misconfiguration and insufficient transport layer protection, and the security awareness of the software developers such as injection, cross site scripting and insecure direct object reference (OWASP, 2010).

Security awareness of software developers is considered by many security experts as the main factor impacting the risk exposure of a web application (Dafydd Stuttard and Marcus Pinto, 2011). Lets consider SQL injection as an example; while the SQL injection vulnerability was first documented in 1998 (rain.forest.puppy, 1998) and ranked as a number one security risk by the Open Web Application Security Project (OWASP, 2010), the code such as (potentially vulnerable to SQL injection):

Select * from products where productCode=' " . $prodcode . " ' "

still appears in the university lecture notes (Laureate Online Education, 2007).

Organizations such as PHP Groups and PHP Security Consortium provide guides on security of PHP deployment and secure code development using PHP. In addtion, the guide (PHP Security Consortium, 2005) covers topics such as input validation, database and SQL injections, session management and issues related to shared hosts.

Bibliography

• BuildWith Trends, 2011. “Frameworks Distribution” [online]. Available from: http://trends.builtwith.com/framework (accessed: November 4, 2011).
• Dafydd Stuttard and Marcus Pinto, 2011. "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws". 2^Nd Edition. Wiley.
• H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004. “Internet & World Wide Web How to Program”. 3^Rd Edition. Pearson Education Inc. Upper Saddle River, New Jersey.
• Laureate Online Education, 2007. “MSC IN: Programming the Internet Seminar Five – PHP / Database Connectivity”. Laureate Online Education B.V.
• OWASP, 2010. “OWASP Top 10 for 2010” [online]. Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (accessed: November 4, 2011).
• PHP Security Consortium, 2005. "PHP Security Guide" [online]. Available from: http://phpsec.org/projects/guide/ (accessed: November 4, 2011).
• rain.forest.puppy, 1998. "NT Web Technology Vulnerabilities" [online]. Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12. Available from: http://www.phrack.org/issues.html?issue=54&id=8#article (accessed: November 4, 2011).
• Verizon RISK Team, 2011. “2011 Data Breach Investigations Report” [online]. Verizon Business. Available from: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf (accessed: November 4, 2011).