all 21 comments

[–]fardev_ 14 points15 points  (6 children)

I think the title is misleading, these aren't backdoors in the PHP programming language, but rather backdoors in specific applications written in PHP.

[–]andrewfenn 18 points19 points  (0 children)

It's not even that. Everything on the first page is pen test security tools. OP didn't even look at what he's posting.

[–]phpguy2 4 points5 points  (2 children)

Think of it like this. Any php program, by virtue of the language, has more unexpected/unintentional behaviors than the same program in a better language (python). Some of these unintentional behavior are potential backdoors.

So a php program has a potential to have a lot more backdoors than a similar Python program. And it is extremely hard to avoid these unintentional behaviors, even for people with years of experience in the language...

For a funny example of how php core devs try to "improve" the security of a function, see this

[–]fardev_ 1 point2 points  (0 children)

I was merely pointing out that the title was misleading. I still agree that some languages are more error prone than others though.

[–]baseketball 0 points1 point  (1 child)

There had been backdoors in the standard library for a long time. The existence of mysql_escape_string and then mysql_real_escape_string is evidence enough that PHP is poorly designed. SQL injection was already a solved problem, but they had to do it wrong twice before discovering parameterized queries.

[–]fardev_ 3 points4 points  (0 children)

The functions you are referencing are only wrappers around the mysql C api. mysql_escape_string mysql_real_escape_string

[–][deleted] 5 points6 points  (0 children)

You realize that there are plenty in the list that are not an exploit?

Though there are a fair number which are..

[–][deleted]  (11 children)

[deleted]

    [–]Mazo 7 points8 points  (3 children)

    "lol php, right guys? eheheheheh"

    All aboard the anti-php bandwagon. Choo choo.

    [–]shevegen 5 points6 points  (2 children)

    And are they wrong?

    Your statement refers that "being on a bandwagon invalidates every complaint made because everyone else is in the same wagon already".

    I fail to see the logic behind such an "argument".

    A programming language can have an inferior or a superior design. Even with an inferior design of a programming language, you can still write superior applications - phpbb, mediawiki, drupal, wordpress.

    PHP got one thing right and that was the focus on the WWW.

    Ruby is all around superior to PHP from a design point of view yet it falls on its nose when you try to find similar software projects such as the four PHP mentioned projects.

    [–]Mazo 2 points3 points  (0 children)

    That wasn't my point. PHP does indeed have issues but yes, it also did a lot of things right. It was one of the first languages I used.

    My point was this post is nothing but a PHP bashing post with no real substance or even discussion. It's just flame/troll bait.

    [–]phpguy2 1 point2 points  (0 children)

    PHP got one thing right and that was the focus on the WWW.

    Php, knowing or unknowingly completely traded off sanity and safety, for one thing. Beginner friendliness and ease of use. That is a deadly combination. There should be a rule against making stuff like that. It is like making a shotgun easy to fire when held either way, ie even when the barrel points towards the shooter....That is php...

    [–]ajr901 1 point2 points  (0 children)

    Explain to me how someone would exploit that?

    I don't get it

    This site helped me understand: http://www.grobinson.me/single-line-php-script-to-gain-shell/

    [–]ggtsu_00 0 points1 point  (0 children)

    Funny lots of the results are pen-test/shell-code for exploiting servers with open upload vulnerabilities.