PHP massive security FAIL

Posted on by

A security vulnerability was discovered in WordPress 2.8.3 recently. If you look at the flaw in question, I can’t believe people are still using PHP to publish websites. If you still do, you should be beaten with a stick. Let’s gloat about why Ruby (on Rails) is better, point by point.

Tom Ritter has posted an excellent analysis of the flaw. To me, it seems PHP is mostly to blame with it’s insane global namespace and perverse functions that take any kind of input.
If you think about it anyone still using PHP should be shot, really. With this insight I can probably write a bot to take down a PHP site in ten minutes or so. So here we go:
1. $key (which is a variable) gets created from URL parameters. This has always been the Achilles Heel of PHP. I am assuming register_globals is off, so they are creating this variable somewhere else. Baaaaaaddd. In Rails you would use params to fetch the URL parameter and then pass the value around in your methods.
2. value is filtered using preg_replace which also takes an array. Barf! Why on earth? I know! Because it’s convenient. Convenience trumps security every time with PHP. In Ruby this could not happen because there is no global preg_replace function. You would call gsub on a String.
3. wpdb-prepare happily accepts an array with an empty string for a string value. Major fail here. Because WordPress has to mimic proper prepared statements, they are using nonsecure PHP code instead of robust database-level code. In other words, array with empty string again becomes empty string instead of blowing up and raising an exception.
4. Only at this stage does any kind of logic fault come into play. The WordPress developers store the admin user without a user_activation_key apparently, because they didn’t foresee this problem. Still a PHP fault in my opinion, since automated integration testing is impossible.

I hate love to say it: using Ruby on Rails would have prevented this flaw at every step of the way. So would other sanely designed programming languages.

As web developers we all think IE6 is bad. I think PHP is the IE6 of web development “languages” (term used extremely loosely).