PHP: The Security Underperformer?

PHP logo

Marc Wickenden


Director @4ARMED

Cyber Security services

About 15 years in IT

Started out as Unix Sysadmin

Love coding but am not a developer

Picture of Marc

So, what's the problem?

Woah there cowboy! Critical?

Trivial, unintended access to data or the underlying system

Straw poll

Wanna see some examples?

            if (isset($_GET['id'])) {
              $sql = "SELECT users.* FROM users WHERE id = " . $_GET['id'];
            } else {
              die("No id specified");
            $result = mysqli_query($db, $sql);

Demo Time

            // controllers/productPost.php
            function getProducts(){
                $allData = explode("|",$_POST['qstring']);
                $productid = $allData[0];
                $qaction = $allData[1];

              $resultarray = $this->product_model->listAgainstProduct($productid,$qaction);

            // models/product_model.php
            function listAgainstProduct($product_id='',$qaction=''){
                $query = $this->db->query("select tbl_products.*
                where tbl_products.product_id =".$product_id." AND tbl_status.status_type_id=2
                AND tbl_status.status_type_id!=32 order by tbl_status.status_name ASC");

Is it really that common?

WTF is going on?


Designer vs Developer

So many helpful resources

Maybe I'm worrying about nothing?


But these are all free. It's the Wild West

Apparently not


Are we comparing like for like?

Not Invented Here

Frameworks are better

(from a security perspective at least)


Most common issue I see in frameworks?


What about the PHP interpreter itself?

Stefan Esser

Did it work?


  1. Large user base with big % of non-developers
  2. Lots and lots of really bad code examples out there
  3. Relatively low framework adoption
  4. Historic issues with PHP core development
  5. Legacy default settings were not secure

What now?


It's in your hands