PHP 7 Arrives (Along with Scathing Security Report) -- ADTmag

PHP 7 Arrives (Along with Scathing Security Report)

By David Ramel
December 3, 2015

PHP 7 has finally arrived. It's the first major number update of the popular Web scripting language in 11 years, and it comes just before a new software security report was published that brands PHP as among the most insecure of programming languages.

PHP 7 follows PHP 5, released in 2004, because PHP 6 ran into trouble and has been shelved for reasons to do with providing Unicode support (you can read the details in the Wikipedia entry).

With little official fanfare, PHP 7 was made available for download on GitHub this week, with new features such as scalar type declarations, return type declarations and even a "spaceship operator," according to the project's main Web site, PHP.net.

But along with new features, PHP 7 comes with a lot of security-related baggage detailed by Veracode in its "2015 State of Software Security: Focus on Application Development" (downloadable upon registration) just released today.

"Veracode's analytics show that 86 percent of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability and 56 percent have at least one SQL injection (SQLi) when initially assessed by Veracode," the company said in announcing the new report. "These vulnerability trends are also seen across the wider family of Web scripting languages, where applications written in Classic ASP and ColdFusion are nearly twice as likely to contain these flaws compared to more modern languages such as .NET and Java."

**[Click on image for larger view.]** OWASP Policy Compliance by Programming Language *(source: Veracode)*

The Veracode report details many security metrics in which PHP basically ranks at or near the bottom, including vulnerability categories tracked by the Open Web Application Security Project (OWASP). Among nine programming languages ranked by their OWASP policy compliance "pass rate," PHP fared better than only ColdFusion.

In discussing one such security metric, the Veracode report stated, "One particular concern related to this data point is the high prevalence of PHP-based applications, thanks to the widespread adoption of content management system (CMS) frameworks like WordPress, Drupal and Joomla. According to some estimates, 74.6 million Web sites use WordPress, and another few million use Drupal and Joomla. The combination of the statistically higher prevalence of OWASP Top 10 vulnerabilities in PHP and the wide usage of PHP-based CMSes is a recipe for some concern in the health of the wider Internet, and means that organizations seeking to use these CMSes should carefully plan their deployments."

The aforementioned security baggage was a hot topic of discussion over at Hacker News, where PHP 7 was announced yesterday. "As a person with more of an ops background, can someone explain to me why/when PHP might be a viable language?" a commenter with the handle "mrmondo" asked. "My experience with hosting PHP apps has historicity [sic] been one of fending off security issues...."

Commenter "gkwelding" replied to that: "Unfortunately PHP seems to have this reputation. It's not so much the language that is the problem but the people using it. PHP typically had such a low bar to entry that literally anyone could pick it up and do anything and everything with it. And quite frankly there were (and still are) a lot of beginner tutorials out there encouraging people to do very stupid insecure stuff. It now seems to be an image that stuck."

Another commenter called "marcosdumay" opined that PHP is the only language in which "PHP is the only lasting language where making code that allows SQL injection is easier than code that forbids it." Some security problems have been addressed, the commenter said, "but PHP will never become a good language."

That assessment is likely at odds with Zend Technologies Ltd., a PHP specialist that previewed "5 Things You Must Know about PHP 7." One of those things is the spaceship operator. "PHP 7 will introduce a new operator <=> conveniently similar to a TIE fighter and dubbed the Spaceship Operator," Zend said in an infographic. "It can be used for combined comparisons -- mostly when dealing with sorting."

Other things about PHP 7 that Zend thinks you should know concern performance. Zend said its own technology was merged into PHP 7, making it 2x faster than PHP 5.6. "PHP 7 is based on the PHPNG project (PHP Next-Gen), that was led by Zend to speed up PHP applications," the company said. "The performance gains realized from PHP 7 are huge! They vary between 25 percent and 70 percent on real-world apps, and all of that just from upgrading PHP, without having to change a single line of code!"

PHP.net noted that the new Zend engine also provides other features such as: