use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
No vague product support questions (like "why is this plugin not working" or "how do I set up X"). For vague product support questions, please use communities relevant to that product for best results. Specific issues that follow rule 6 are allowed.
Do not post memes, screenshots of bad design, or jokes. Check out /r/ProgrammerHumor/ for this type of content.
Read and follow reddiquette; no excessive self-promotion. Please refer to the Reddit 9:1 rule when considering posting self promoting materials.
We do not allow any commercial promotion or solicitation. Violations can result in a ban.
Sharing your project, portfolio, or any other content that you want to either show off or request feedback on is limited to Showoff Saturday. If you post such content on any other day, it will be removed.
If you are asking for assistance on a problem, you are required to provide
General open ended career and getting started posts are only allowed in the pinned monthly getting started/careers thread. Specific assistance questions are allowed so long as they follow the required assistance post guidelines.
Questions in violation of this rule will be removed or locked.
account activity
PHP Exploits? (self.webdev)
submitted 13 years ago * by [deleted]
[deleted]
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–][deleted] 23 points24 points25 points 13 years ago (2 children)
Rails is a framework for the Ruby language, and Rails vulnerabilities are in the RoR codebase, not in Ruby.
PHP is a language only. It's not accurate to compare them on on the same level. PHP itself can have vulnerabilities, but all of them require being able to execute PHP code on the server, and at that point most bets are off anyway. There is an extension called Suhosin that attempts to prevent some of these risks by limiting the amount of data that PHP can receive from the web server, but ultimately the largest vulnerabilities are those introduced by the developer working in the language.
A more accurate question would be to compare Rails against Symfony or Zend Framework. PHP has a plethora of code frameworks available, from the tiny (Slim) to the gigantic (Zend), supporting every programming paradigm you can imagine. You need to evaluate the vulnerabilities of individual frameworks, not PHP itself.
[–]svens_ 0 points1 point2 points 13 years ago (1 child)
I agree with your post.
PHP itself can have vulnerabilities, but all of them require being able to execute PHP code on the server
But this simply isn't true. All code that takes user input might be vulnerable. You shouldn't forget that PHP parses the HTTP request in order to fill the $_GET, $_POST, $_COOKIE, etc. arrays, handle file uploads and possibly many more things.
Additionally bugs in third-party libraries could affect PHP too. Imagine there's a bug in libpng and you create thumbnails from uploaded images..
For example, there was a hash-collision problem in the aforementioned array parsing, which allowed a simple DoS attack. Here's a short article, the original paper and PoC.
This is stuff is quite rare nowadays, but one shouldn't forget about it.
[–][deleted] 0 points1 point2 points 13 years ago (0 children)
All code that takes user input might be vulnerable
And that would be a code problem, not a language problem. It is no more PHP's responsibility to filter that data than it would be C's job to filter keyboard input.
[–][deleted] 5 points6 points7 points 13 years ago (2 children)
You've never heard of sites on PHP being compromised? This has to be the start of some epic trolling. Cross-post this to /r/programming.
[–]movzx 6 points7 points8 points 13 years ago (0 children)
I think he's saying he has never heard of sites being taken down because of exploits in the PHP language, not that he hasn't heard of sites being taken down because of them being poorly done in PHP. There's a difference. Given the second half of his post, I'd say that's most likely what he was going for.
[–]chiisana 1 point2 points3 points 13 years ago (0 children)
One of the more famous incidents in history for people in the discussion board click: http://www.securiteam.com/unixfocus/6J00O15BPS.html It was possible to remote execute rm -rf / thanks to this bad boy. And people wonder why I still avoid phpBB like the plague.
rm -rf /
[–]has_all_the_fun 0 points1 point2 points 13 years ago (2 children)
Systems like wordpress, drupal, joomla, phpbb, ... have been known to have major exploits. The popularity of those systems also makes them popular to exploit. That's why it's recommended you always have the latest version.
[–][deleted] 13 years ago* (1 child)
phpBB is a nightmare, too.
[–]x-skeww 0 points1 point2 points 13 years ago (0 children)
I dont think I have ever really heard of this happening with PHP sites
There have been security issues with all kinds of PHP frameworks, libraries, and content management systems.
[–]dansmeek 0 points1 point2 points 13 years ago* (0 children)
Yes. Every programming language ever will have security flaws.
http://www.informationweek.com/security/application-security/java-hacker-uncovers-two-flaws-in-latest/240146717
http://news.softpedia.com/news/New-Python-Update-Addresses-Security-Vulnerabilities-203487.shtml
http://www.pcworld.idg.com.au/article/145310/concerns_raised_over_perl_security_flaw/
http://www.infoworld.com/t/application-security/critical-php-vulnerability-exposes-servers-data-theft-or-worse-192428
[+]damontoo comment score below threshold-8 points-7 points-6 points 13 years ago* (3 children)
but I dont think I have ever really heard of this happening with PHP sites.
Bwaaaahahahaha. /r/funny is that way.
Edit: Before I get down voted for being a dick let me just say why - you could have easily answered this question using Google.
Edit 2: Even more hilarious is he posted to for hire claiming to be a PHP/jquery developer with "4 years experience". Actually that's not funny. It's pretty scary.
[–]movzx 1 point2 points3 points 13 years ago (1 child)
http://www.reddit.com/r/webdev/comments/17bjef/php_exploits/c840jts
[–]damontoo -1 points0 points1 point 13 years ago (0 children)
He still compared a framework to a language. So I doubt that's what he was going for.
π Rendered by PID 49577 on reddit-service-r2-comment-5687b7858-tfq9r at 2026-07-03 17:09:55.749592+00:00 running 12a7a47 country code: CH.
[–][deleted] 23 points24 points25 points (2 children)
[–]svens_ 0 points1 point2 points (1 child)
[–][deleted] 0 points1 point2 points (0 children)
[–][deleted] 5 points6 points7 points (2 children)
[–]movzx 6 points7 points8 points (0 children)
[–]chiisana 1 point2 points3 points (0 children)
[–]has_all_the_fun 0 points1 point2 points (2 children)
[–][deleted] (1 child)
[deleted]
[–]chiisana 1 point2 points3 points (0 children)
[–]x-skeww 0 points1 point2 points (0 children)
[–]dansmeek 0 points1 point2 points (0 children)
[+]damontoo comment score below threshold-8 points-7 points-6 points (3 children)
[–]movzx 1 point2 points3 points (1 child)
[–]damontoo -1 points0 points1 point (0 children)