Nik Cubrilovic has gone on a little troll and posted 4 tips on ‘Preventing PHP Leakage’. I have some more tips for him and others who think he had something valuable to say..
Make sure you’ve read AND understood the PHP INSTALL doc before you deploy a production server.
… If that’s too hard, I also recommend the following industry practices, which will only help secure your site against this unreliable and clunky language known as PHP. If you use any other language, you can ignore these tips.. since they aren’t PHP.
- Use firewalls : Firewalls can help prevent unauthorized access to your web servers. If you use PHP, more than likely your server will just give out the root password under high load.
- Enable SSH on a different port: All PHP hackers know that SSH runs on port 22, trick them all by using port 4222.. they’ll never be able to guess it. For more fun, write a script that will change the SSHD listen port randomly by the hour..
- TEST : There is thing that you absolutely need to do with PHP code, and that is called testing. See, PHP code unlike any other code sometimes just doesn’t do what you want.. it does what you told it do… unless of course you’ve tested it, and trained it. So, if you test and train the PHP (mod_knowwhatimeant), you’re guaranteed to have the code work to your liking.
All of these solutions are well kept secrets by the upper echelon of the PHP community. Rasmus, Andrei, Sara et al, use these techniques all the time, but won’t tell you this stuff unless you pay them in large sums of picture postcards, or beer.
If you feel all the work above is too much, use a different language, anything but PHP will suffice.
{ 2 trackbacks }
{ 14 comments… read them below or add one }
Good tips, but they apply to all languages, not just PHP.
[Reply]
@Edward: Oh dear. Please tell me you were continuing the sarcasm of the OP. Because that’s what it was. Sarcasm.
[Reply]
funny
you should add some irony-tags, though.
[Reply]
I have the humor tag
[Reply]
Your postcards just arrived so I’ll give you #4:
Disable this super-secret INI option which defaults to on… php.leakomatic.crash.crash.crash.frogs.rule
If you’re running PHP without turning off that switch, you’re just BEGGING to be rooted.
[Reply]
This is a feature, no bug. If load goes over 10, PHP decides to serve the plain file because it’s faster
But, to be serious, the main issue I see is the FUD that’s spreaded on the really popular platform techcrunch, and claims like the load-leakage without any proof.
[Reply]
hey so that actually is pretty funny.. I am going to follow up at some point with pointers to claims I made. I have worked with PHP for a long time, you see no more or less weird stuff with that platform than you do on any other. its not about blaming the platform, its about educating the implementors
[Reply]
Nik,
Thanks for the comment. I’d love to see pointers to your claims. The problem I had, and I believe others had, was your claim about “PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client. ” … like you, we’ve been working with PHP on very high traffic websites, and never run across this problem.. and I personally have never heard of this being a legitimate bug. But, I look forward to your follow up.
[Reply]
Hey Vidyut, even funnier is that your tips are being taken seriously:
http://www.sda-india.com/sda_india/psecom,id,22,site_layout,sdaindia,news,19835,p,0.html
ill be posting on follow up tonight
[Reply]
Hehe… this is funny. And I kinda feel sorry, that not so many people got your sarcasm.
Anyway, I had already lost confidence in the Internet when I read all those “rewarding” comments on Nik’s entry. Thanks for bring it back!
[Reply]
Nik,
. I don’t know if I should laugh or try to correct them…
That’s just gravy ..
Looking forward to your post.
[Reply]
As expected the is no follow-up because he has no real proves…
[Reply]
s0enke: He may be busy with other things.. let’s give it some more time.
.
[Reply]
Hmmm… he might still be reading the 3500 spam comments that article has gotten….
I think I need to stop waiting and go on home… I can’t remember what my dogs look like.
[Reply]