PHP Security Vulnerabilities and Language Overview

Php language overview and vulnerabilities

What is PHP?

First released in 1995, PHP is an open source scripting language designed for web development, but is also able to be embedded into HTML. Originally, PHP stood for Personal Home Page, but is currently referred to as the backronym PHP: Hypertext Preprocessor.

 

Separating PHP from other client-side languages such as JavaScript is the fact that the code is executed on the server that generates HTML which is subsequently sent to the client. PHP is a dynamic language that lets developers run their code right away without having to compile it first. Touted as one of the easier languages to learn, PHP also has an incredible online array of resources and documentation available for both PHP newbies and pros.

 

Additionally, PHP continues to evolve as can be seen with Facebook’s rollout of the PHP dialect HipHop Virtual Machine (HHVM) and later the Hack language, which is deeply rooted in PHP. In Stack Overflow’s 2016 developer’s survey, PHP remained the fifth most popular language used by 25.9% of the 56,000 respondents, the same spot it occupied in 2015.

 

Why was PHP initially created?

Developed in 1994, initially as a way for its creator, Rasmus Lerdorf to keep a tally of the number of people visiting his online resume, the earliest version of PHP was a set of Common Gateway Interface (CGI) binaries written in the C language. Lerdorf called this suite of scripts “Personal Home Page Tools,” which is where the name PHP originally derived from. PHP was influenced by C, Perl, Java, C++ and TCL.

PHP release announcement

In 1995, Lerdorf publicly released PHP under the GNU Public License encouraging developers to use it for “logging access to pages in your own private log files, real-time viewing of log information, banning users based on their domain,” and ten other functions, along with four bullet points of what is not needed to use the first release of PHP tools.

PHP 3 and beyond…

In 1997, Israeli programmers Zeev Suraski and Andi Gutmans formed the base of PHP 3 by rewriting the parser and subsequently launched PHP 3 in the summer of 1998. PHP 4 was powered by Suraski and Gutman’s Zend Engine, the open source scripting engine that interprets the PHP programming language. PHP 5, released in 2005, was powered by the Zend Engine II and included upgraded support for object-oriented programming, the PHP Data Objects extension and other enhancements.

PHP 6 was designed to include native Unicode support, but was eventually abandoned with PHP 7.0 following the release of PHP 5.6 in late 2015 which included, among other improvements, Zend Engine 3 (performance improvements and 64-bit integer support on Windows, uniform variable syntax, AST-based compilation process.

 

Who uses PHP?

Some of the biggest pages on the internet include PHP in their technology stack, with Facebook being the most notable, given their impressive engagement statistics which include over 1 billion unique daily logins and the fact that five new profiles are created every second. Joining Facebook on the list of giant websites written in PHP are Wikipedia, Flickr, WordPress.org, moveon.org and MailChimp.

 

PHP Code Security

Like any popular programming language, developers programming in PHP need to be aware of the vulnerabilities and security issues facing the language.

PHP Code Security Quote

Security quote by PHP expert Dave Shirey

Common PHP Security Vulnerabilities

In addition to SQL Injections (SQLi), XSS (Cross Site Scripting) and Cross Site Request Forgery which affect most contemporary programming languages, PHP applications also face threats from:

 

Is your PHP code secure?

When it comes to securing your PHP code, there are numerous options available. These include dynamic application security testing (DAST), penetration testing, static application security testing (SAST) and others. To save both time and money on your application security, identifying and mitigating security risks during the earliest stages of the software development lifecycle (SDLC), static code analysis is the best way to ensure that your code is free from potential vulnerabilities and exploits.

 

While numerous open source PHP static code analysis solutions are available, their financial benefits are often outweighed by a number of drawbacks which include security issues, the inability to properly scale and the lack of support and liability that many organizations need to count on, especially in the field of security.

 

Additionally, many open-source source code analysis solutions are unable to perform under the rigorous demands of a continuous integration (CI) environment.

 

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst PHP testing solutions as not only the solution which will keep your PHP code free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

 

CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.

 

When vulnerabilities are detected in the PHP code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.

jumping 1

To read about the interesting relationship between Facebook and PHP, be sure to read Do Developers at Facebook use PHP Static Analysis Tools?

 

REQUEST A DEMO

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.