In response to: ‘Learning from Facebook: Preventing PHP Leakage’

Author: Vidyut Luther

12 Aug

Nik Cubrilovic has gone on a little troll and posted 4 tips on ‘Preventing PHP Leakage’. I have some more tips for him and others who think he had something valuable to say..

Make sure you’ve read AND understood the PHP INSTALL doc before you deploy a production server.

… If that’s too hard, I also recommend the following industry practices, which will only help secure your site against this unreliable and clunky language known as PHP. If you use any other language, you can ignore these tips.. since they aren’t PHP.

Use firewalls : Firewalls can help prevent unauthorized access to your web servers. If you use PHP, more than likely your server will just give out the root password under high load.
Enable SSH on a different port: All PHP hackers know that SSH runs on port 22, trick them all by using port 4222.. they’ll never be able to guess it. For more fun, write a script that will change the SSHD listen port randomly by the hour..
TEST : There is thing that you absolutely need to do with PHP code, and that is called testing. See, PHP code unlike any other code sometimes just doesn’t do what you want.. it does what you told it do… unless of course you’ve tested it, and trained it. So, if you test and train the PHP (mod_knowwhatimeant), you’re guaranteed to have the code work to your liking.

All of these solutions are well kept secrets by the upper echelon of the PHP community. Rasmus, Andrei, Sara et al, use these techniques all the time, but won’t tell you this stuff unless you pay them in large sums of picture postcards, or beer.

If you feel all the work above is too much, use a different language, anything but PHP will suffice.

Filed under: humor, php, security

16 Responses for "In response to: ‘Learning from Facebook: Preventing PHP Leakage’"

Edward Z. Yang August 12th, 2007 at 6:58 pm 1
Good tips, but they apply to all languages, not just PHP.
Ian August 12th, 2007 at 7:13 pm 2
@Edward: Oh dear. Please tell me you were continuing the sarcasm of the OP. Because that’s what it was. Sarcasm.
Lars August 13th, 2007 at 7:05 am 3
funny

you should add some irony-tags, though.
Vidyut Luther August 13th, 2007 at 8:51 am 4
I have the humor tag
Sara Golemon August 13th, 2007 at 11:54 am 5
Your postcards just arrived so I’ll give you #4:

Disable this super-secret INI option which defaults to on… php.leakomatic.crash.crash.crash.frogs.rule

If you’re running PHP without turning off that switch, you’re just BEGGING to be rooted.
s0enke August 13th, 2007 at 3:52 pm 6
This is a feature, no bug. If load goes over 10, PHP decides to serve the plain file because it’s faster

But, to be serious, the main issue I see is the FUD that’s spreaded on the really popular platform techcrunch, and claims like the load-leakage without any proof.
Null is Love » Blog Archive » Lessons from the Facebook Leak August 14th, 2007 at 11:47 am 7
[...] have blasted his assertion that PHP is known to sometimes return source code…) Vidyut Luther lists three more tips that can [...]
Nik Cubrilovic August 14th, 2007 at 9:35 pm 8
hey so that actually is pretty funny.. I am going to follow up at some point with pointers to claims I made. I have worked with PHP for a long time, you see no more or less weird stuff with that platform than you do on any other. its not about blaming the platform, its about educating the implementors
Vidyut Luther August 15th, 2007 at 3:08 pm 9
Nik,
Thanks for the comment. I’d love to see pointers to your claims. The problem I had, and I believe others had, was your claim about “PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client. ” … like you, we’ve been working with PHP on very high traffic websites, and never run across this problem.. and I personally have never heard of this being a legitimate bug. But, I look forward to your follow up.
Nik Cubrilovic August 16th, 2007 at 7:30 pm 10
Hey Vidyut, even funnier is that your tips are being taken seriously:

http://www.sda-india.com/sda_india/psecom,id,22,site_layout,sdaindia,news,19835,p,0.html

ill be posting on follow up tonight
till August 17th, 2007 at 7:29 pm 11
Hehe… this is funny. And I kinda feel sorry, that not so many people got your sarcasm.

Anyway, I had already lost confidence in the Internet when I read all those “rewarding” comments on Nik’s entry. Thanks for bring it back!
Vidyut Luther August 19th, 2007 at 10:34 am 12
Nik,
That’s just gravy .. :). I don’t know if I should laugh or try to correct them…
Looking forward to your post.
s0enke September 7th, 2007 at 1:40 pm 13
As expected the is no follow-up because he has no real proves…
Vidyut Luther September 7th, 2007 at 4:26 pm 14
s0enke: He may be busy with other things.. let’s give it some more time. :).
Startup Signal - Today’s Top Blog Posts on Entrepreneurship - Powered by SocialRank October 1st, 2007 at 4:39 am 15
[...] In response to: ‘Learning from Facebook: Preventing PHP Leakage’ [...]
Chuck Burgess March 10th, 2008 at 2:01 pm 16
Hmmm… he might still be reading the 3500 spam comments that article has gotten….

I think I need to stop waiting and go on home… I can’t remember what my dogs look like.