PHP Security Architecture

27 Jan 2006

Andrew van der Stock wrote to let me know that he has posted a contextual overview of a security architecture for PHP. I think he clarifies many of the things he mentioned in his previous post, and he makes a statement that has been a guiding principle for me in my work on the Zend Framework:

Of course, it is possible to write insecure programs in any language if you try hard enough. What I want is the easiest way is also the safest way.

I'm really glad to hear Andrew make this statement, because I think it's a simple but important goal - make the easiest way the safest way. For example, I wrote recently about The addslashes() Versus mysql_real_escape_string() Debate. Which of those is easiest to type? Which is safest? When you want to output a username to the screen, is it easier to escape it with htmlentities() or just echo it and be done? We have some work to do.

One aspect of this discussion that has been heavily debated within the PHP community is whether PHP should provide a powerful and flexible foundation like C does, or whether it should behave more like a framework. For example, when the topic of XSS comes up, many people blame PHP for not doing something automatically such as removing specific characters or escaping. Others note that almost any PHP framework offers such protection, and they'd rather see PHP remain a foundation from which to build.

Not being a PHP core developer myself, I'm focusing my efforts on the framework side of things. However, I have high hopes for Andrew's influence, and it sounds like he's in touch with Rasmus:

I have a reply from Rasmus. Apparently, he saw Chris's blog and thus this rant, and replied.

Andrew's "Failure of Leadership" comment probably won't win him any brownie points, but at least he got some attention. :-)