I currently work for a company that requires very in-depth information about any "new" software to install on their information systems. While I know how to code in php, my problem is getting my company to authorize the server software.
My needs don't include any database support, as all I need is some very simple scripting to provide better support to our users. We currently run an IIS server, with (I believe) pure HTML support only, but that means when we release new data, we would have to create a new page, and update our links for all our other pages, which is both time-consuming and a greater chance for error. My script would only reference the page that it exists on, and a few Excel Spreadsheets, the HTML version of which already exists. There is no need for database support.
What I am looking for is this, and I was unable to find it on the links provided in the stickied post; Is there a resource available, and if so, where, that provides a risk assessment/analysis of running a server that supports PHP?
Risk assessment?
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I might be inclined to do a Google search for 'Risks associated with running PHP'. As far as a whitepaper or something like that, I am not sure that you'll find one here. I am sure they are out there.
If all you are doing is serving up static HTML pages, technically you don't even need a server. You could put the files on a network drive and everyone could access them from there. If there is a need for a server, a need which I am guessing your company has, then PHP will work with the server much like IIS uses ASP as a server-side scripting language. As for security, there are plenty of things you can do to secure PHP, and even it's default setup, PHP is really secure.
Maybe what you can do also, is search for 'Securing PHP' and use anything you find to try to convince your powers that be.
If all you are doing is serving up static HTML pages, technically you don't even need a server. You could put the files on a network drive and everyone could access them from there. If there is a need for a server, a need which I am guessing your company has, then PHP will work with the server much like IIS uses ASP as a server-side scripting language. As for security, there are plenty of things you can do to secure PHP, and even it's default setup, PHP is really secure.
Maybe what you can do also, is search for 'Securing PHP' and use anything you find to try to convince your powers that be.
Re: Risk assessment?
There are several commercial companies that offer code assessments.Coar wrote: What I am looking for is this, and I was unable to find it on the links provided in the stickied post; Is there a resource available, and if so, where, that provides a risk assessment/analysis of running a server that supports PHP?
However, from your description, I suspect you are not at all able/willing/likely to pay the large fees they charge to do so. It would easily push your "quick fix" code solution into the same league as unreasonably complex solutions with a large cost.
My suggestion? Put together the working version, request the approval, and put the onus on IT to provide the clear statement of what concerns need to be met.
maybe i'm not being clear enough, and for that i apologize.
while i cant go into details of what i do, or who i do them for, i can provide the following:
the current html page has an embedded spreadsheet that is a report
the the report is updated daily, and its results cover the current month only
i'll be using the current html page as a foundation for my php code
the entirety of the script will be on one page, and only reference that page
while we have archived versions of the old reports, they are not available on the website
in terms of scripting, my code will be fine, I already have it figured out
there will not be a database referenced, and the code will be breakproof, providing that deliberate bad data is not provided to the web address, but that is not a concern
all i am trying to provide them with is a simple method to display the archived results, that can be updated by one who is trained after i leave, that wont be difficult
the only concern that is being presented is how secure the server is with the PHP software, and any negative software interactions that are known
while i cant go into details of what i do, or who i do them for, i can provide the following:
the current html page has an embedded spreadsheet that is a report
the the report is updated daily, and its results cover the current month only
i'll be using the current html page as a foundation for my php code
the entirety of the script will be on one page, and only reference that page
while we have archived versions of the old reports, they are not available on the website
in terms of scripting, my code will be fine, I already have it figured out
there will not be a database referenced, and the code will be breakproof, providing that deliberate bad data is not provided to the web address, but that is not a concern
all i am trying to provide them with is a simple method to display the archived results, that can be updated by one who is trained after i leave, that wont be difficult
the only concern that is being presented is how secure the server is with the PHP software, and any negative software interactions that are known
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
So the Excel spreadsheet will be updated by how many people? And the HTML page has this spreadsheet embedded into it how?Coar wrote:the current html page has an embedded spreadsheet that is a report
the the report is updated daily, and its results cover the current month only
If you are the only person with access to the data, the code and the server, it is not a problem. If this will ever be interfaced with by someone other than you that can throw data at it, then it could be a problem.Coar wrote:in terms of scripting, my code will be fine, I already have it figured out
there will not be a database referenced, and the code will be breakproof, providing that deliberate bad data is not provided to the web address, but that is not a concern
PHP, by itself, is secure. What makes it insecure are bad php.ini settings (administrator's fault), improper interaction with external libraries (developer's fault), inefficient safety precautions by the developer (developer's fault) and server vulnerabilities (administrator's fault).Coar wrote:...while we have archived versions of the old reports, they are not available on the website...
all i am trying to provide them with is a simple method to display the archived results, that can be updated by one who is trained after i leave, that wont be difficult...
the only concern that is being presented is how secure the server is with the PHP software, and any negative software interactions that are known
This link is from a google search for PHP security vulnerabilities. It offers some pretty good links to various reference material.
Im sorry if I seem harsh in the following statements, but what I keep trying to say apparently isn't clear.
I am not concerned about the security of the webpage or the spreadsheet.
I am not concerned about the people who will be updating the webpage or the spreadsheet, as I will be personally training them, or doing it myself.
I am concerned ONLY about the security of the PHP server software, as it pertains to the security of an IIS SERVER. What I need is a list of SERVER VULNERABILITIES or SERVER RISKS created by having the PHP server software installed on an IIS server, and a list of KNOWN software compatibility errors, as we do run a few programs specific to our webserver, programs that need to continue working.
I am not concerned about the security of the webpage or the spreadsheet.
I am not concerned about the people who will be updating the webpage or the spreadsheet, as I will be personally training them, or doing it myself.
I am concerned ONLY about the security of the PHP server software, as it pertains to the security of an IIS SERVER. What I need is a list of SERVER VULNERABILITIES or SERVER RISKS created by having the PHP server software installed on an IIS server, and a list of KNOWN software compatibility errors, as we do run a few programs specific to our webserver, programs that need to continue working.
Last edited by Coar on Fri May 12, 2006 10:10 am, edited 1 time in total.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
It sounds like you are not getting the answer you want. I suspect you would do better by looking at the PHP web site or by searching for PHP vulnerabilities. Are there issues with PHP? Sure there, but most of them come down to A) The admin who installed it; B) the server admin leaving vulnerabilities within the server (not a PHP issue); or C) developers that do not follow secure development practises.
I think I had said that bit before. I am not sure you will get the answer I think you are looking for here. I could be wrong.
I think I had said that bit before. I am not sure you will get the answer I think you are looking for here. I could be wrong.