OWASP, the Open Web Application Security Project, is famous for its Top Ten list of security vulnerabilities. David ported the list to PHP (PHP and the OWASP Top Ten), and now OWASP has released its own PHP-specific list, the PHP Top 5:
The PHP Top 5 is based upon attack frequency in 2005 as reported to Bugtraq. This information is a valuable insight into the most devastating attacks against the world's most popular web application framework.
In 2005, OWASP collaborated with SANS to research and write a completely new PHP section to their successful Top 20 2005. The OWASP PHP Top 5 is the full unabridged text, updated to reflect recent XSS attacks and SQL injection vectors.
The top five concerns for PHP developers, according to this research, are:
- Remote Code Execution
- Cross-Site Scripting
- SQL Injection
- PHP Configuration
- Filesystem Attacks
Remote code execution (also called remote code injection or code injection) should see a reduction in popularity in PHP 6. The following list of changes is from the PHP 6 meeting notes that Derick posted:
- We split allow_url_fopen into two distinct settings: allow_url_fopen and allow_url_include. If allow_url_fopen is off, then allow_url_include will be off too.
- We enable allow_url_fopen by default.
- We disable allow_url_include by default.
SQL injection could also see a reduction in popularity if more and more developers start using PDO and its support for prepared statements. From the manual:
Prepared statements are so useful that they are the only feature that PDO will emulate for drivers that don't support them. This ensures that you will be able to use the same data access paradigm regardless of the capabilities of the database.