PHP Consortium Tackles Third-Party Application Security | eWeek

PHP Consortium Tackles Third-Party Application Security

Écrit par
Ryan Naraine
Ryan Naraine
Feb 1, 2005
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Worried that the credibility of the PHP scripting language is being hurt by high-profile security flaws in third-party applications, an international group of coding experts is taking matters into their own hands.

The group, which includes Zend Engine developer Andi Gutmans, has formed the PHP Security Consortium with ambitious plans to promote secure programming practices among developers and set up a one-stop shop for documentation, tools and standards.

/zimages/3/28571.gifClick hereto read about new Zend software for making PHP enterprise-ready.

The formation of the consortium was triggered by the recent Santy worm attack against Web forums running phpBB, a message board software written in PHP. “Theres this odd tendency in the PHP community to call everything PHP, even if its just a third-party application written in PHP. We saw this happen with the phpBB issue, even though that had nothing to do with a security problem in PHP,” said Chris Shiflett, a founding member of the new consortium.

At the time of the phpBB/Santy worm attacks, the Apache-backed PHP Group that manages the open-source language was in the middle of rolling out some unrelated PHP security fixes, and the timing led to some confusion.

“[The worm] exposed a mistake in the input validation in the phpBB message board application. … Without proper input validation of untrusted user data combined with any of the PHP calls that can execute code or write to the file system you create a potential security problem,” the group said in a notice to developers.

Thats why theres a need for some guidance from a reputable PHP Security Consortium, Shiflett said in an interview with eWEEK.com. “Because PHP has a very low barrier to entry, a lot of inexperienced developers are using it for their solutions,” he said. “They dont tend to understand Web application security, and theyre creating applications with serious vulnerabilities.

“There is this urgent need to educate these developers and provide them with resources to get up to speed,” Shiflett added.

Next Page: Code audits on apps written in PHP.


Page 2

Shiflett, who is also founder of PHPCommunity.org and a member of the Zend PHP Advisory Board, said the consortium will also conduct code audits of popular third-party applications written in PHP to find security vulnerabilities. “Youll see us issuing advisories and guidance based on our own findings,” he said.

The immediate plan is for the consortium to organize its work into separate projects consisting of documentation, utilities and other resources. The first project is Shifletts own PHP Security Guide, which discusses the most common security concerns for Web developers.

“The guide tries to explain the attack scenarios and give examples of exploits. Developers need to understand how attacks happen and how they can secure their applications,” Shiflett explained.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

The aggressive move to beef up security around PHP comes at a crucial time for the project, which is shipped standard with a number of Web servers. The 10-year-old project has seen startling usage growth in recent years, including adoption by high-profile Web properties like Yahoo Inc., Lycos Inc. and Disney Online.

German airline Deutsche Lufthansa has also embraced PHP in a big way, using the scripting language for electronic ticketing and back-end systems for its agencies and bookings. Lufthansa is currently running 50 PHP servers.

Check out eWEEK.coms for the latest security news, reviews and analysis.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.