Does php4 has holes

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

Does php4 has holes

Post by rami »

I has written a small application in php.When i was presenting it to a one so called expert he said that "your application is really vunerable now or of no use as php4 itself has bugs or security holes"

is that true

what kind of security holes are there
i find except some function php4 and php5 almost same if i done use oop

whats fact
should we stop using php4

whats the fact?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

One can make that general level statement about almost any piece of software, as there are likely holes under certain circumstances.

Whether those holes are in the software itself or created via the product built from it depends on the specifics. Since your post doesn't go into specifics, I don't know how much confirmation we can give you.

There were a few security holes in older versions of PHP 4 and there are some potential vulnerabilities in various components of the system. If you want to know more, check the hardended PHP project and Chris Shiflett's site.
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

Post by rami »

thats means as i general user if i make a site using all own's general skills not going through each and every updates of php ,then my site will be easily hacked by the even some advanced user of php..

is that ,what it means...

ok high level security its ok ...but i am concerned about holes in langauge it self which is known by any one ,may be some 1 year old user of php...
that way there is no use of making any site and fusing lots of time and effort ..
isn't it...?

should we stop using php 4..?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Sorry, for the most part, I'm having a tough time deciphering what you're saying.

As for whether we should stop using PHP 4.. while I'm an advocate for using PHP 5 (for various reasons) I cannot say definitively that people should stop using PHP 4. Given that it is still in development I have no problem with it, on the whole. The problem I have with its use is that hosts often trail quite a ways behind the releases of newer versions. That problem is on hosts, not developers.
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

Post by rami »

i was trying to say
from your saying php4 itself is not crackproof and ( php4) language itself provides many ways for crackers to crack sites...
is that it?

by the what are potential area of security headache
i found web defacing...
normally solved though not taking html specail codes..

second sql/web injection
some what solved through taking data validating it

what others ....
i think that global variable off/on are more concerned about server's security people rather than simple programmer ..in shared host ..isn't it?

by the way please dont show me way to some security posts...i have read many of them and all in all they tend to say these (url injection...web defacing) but they present it in different way..
so i want to discuss it here
thanks
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Yahoo serves more than 4 billion page views a day and is a very popular target for a wide variety of malicious activity.

Yahoo uses PHP 4.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

shiflett wrote:Yahoo serves more than 4 billion page views a day and is a very popular target for a wide variety of malicious activity.

Yahoo uses PHP 4.
:lol: that pretty much sums it up...
toasty2
Forum Contributor
Posts: 361
Joined: Wed Aug 03, 2005 10:28 am
Location: Arkansas, USA

Post by toasty2 »

I use php4. It's fine, I've never run into problems. It doesn't have some of the features of php5, but there always seems to be a way around that.
nops
Forum Newbie
Posts: 1
Joined: Mon Sep 25, 2006 3:24 am

There is no perfect security

Post by nops »

So your so called expert is always right whith every project :-)

I guess its true PHP got some security holes but this is because its just not possible to write bugfree and exploitfree Software if a project grows to a certain Size.
But u won't find a a totally secure Web Programming language.
Java .. not really a web programming language.
perl .. same as whith php just not perfect
Flash ..lol
javascript .. megalol
asp .... *censored*
c.. ok, u can do it but still not perfect ;-)

The only thing someone who offers such a Language can do is to fix all bugs as soon as possible and as far as i know the time for php bugfixes is pretty fast for a big company.

Most security holes are just produced by the web programmer that uses the language or by hosters that won't update their servers.(or use a bad configuration)

So chose your host carefully , maybe pick one that offers HardenedPHP, learn how to make your scripts secure and keep up whith latest security issues.

Then PHP is a pretty secure solution.
Post Reply