178: Writing secure PHP - meet Chris Cornutt

PHP security expert and member of the Global Cybersecurity Group at Hewlett Packard, Chris Cornutt and I had the chance to meet in person at PHP World 2014, in Washington, D.C. We compared notes on the "PHP Renaissance", looking over other projects' shoulders, sharing code, and PHP security basics.

PHP: easy, useful, friendly ... a little dangerous

Chris says PHP's ease of use ("It's really easy to get everything set up and running. You don't have to compile it; it's nice. It's refreshing to work with after working with some other languages.") and its friendly, welcoming community have played a big part in his staying with it all these years, but that his favorite thing about the language itself is its flexibility. "Which, unfortunately, sometimes is its downfall ... It's really easy to do really bad things with PHP."

I suspect all of the above feeds Chris's interest in PHP applications security, which has been his focus for the last few years. He describes reading Chris Shiflett's 2005 book, Essential PHP Security, from cover to cover and laments that, "unfortunately, a lot of that stuff is still relevant today ... A couple of years ago I decided that was where I wanted to go. That was the niche I wanted to fill. I write articles, I speak at conferences [he also writes books]. It's been very enlightening at times about all the stuff that is out there ... and all the problems. But I try to do my best to educate people and write the most secure code I can."

PHP's interoperable future

I proposed that Drupal 8 is setting a good example of what the future of PHP looks like: embracing best-of-breed solutions, wherever they may come from and concentrating on its specialties. Chris agrees, "It's really good. Composer is still a relatively recent thing, but to see the [Drupal] project latch on to that and say, 'This right here is where the future of PHP is going. We need to integrate this or we're going to be obsolete and stay in our own, little silo forever.' It's good to see."

"I hope this keeps going. It's good to see various kinds of packages coming up on the PHP side as the standardized [solution] for certain things. I hope to see Drupal and maybe even Wordpress come in and say, 'This is good. We need to reuse this.'" Bojan Živanović, Drupal Commerce 2.x co-maintainer, is setting a great example of this thinking. He has released a number of commerce-relevant PHP libraries for use in Drupal Commerce 2 and any other PHP projects that want to take advantage of them.

Secure PHP in four words

I challenged Chris to tell me how to write secure PHP in one sentence. He gave me just four words as an answer: "Filter input, escape output ... That's the biggest things right there." Chris wanted me to be clear on a little more than this, though. "There are some language specific things. Filter input escape output works for any language, not just PHP, but the way that you do that, the implementation of that is more specific to the language itself."

PHP security resources

Here are some resources to learn more about PHP application security:

• OWASP.org, an online community dedicated to web application security.
• OWASP draft PHP security cheat sheet
• PHPSecurity.org, the companion website to Chris Shiflett's book, Essential PHP Security
• Securing PHP, Core Concepts by Chris Cornutt
• Securing PHP: The Usual Suspects by Chris Cornutt
• The Securing PHP Project
• Securing PHP Twitter account: SecuringPHP

Guest dossier

• Name: Chris Cornutt
• Twitter: @enygma
• Website: http://phpdeveloper.org/
• Blog: http://blog.phpdeveloper.org/
• Work affiliation: Hewlett Packard Global Cycbersecurity Group
• A selection of projects: Co-creator of Joind.in, creator and maintainer of phpdeveloper.org, co-organizer of the Dallas-based Lone Star PHP Conference, check Chris's roughly 40+ repos on GitHub, too!
• GitHub: enygma
• PHP security books: Securing PHP, Core Concepts and Securing PHP: The Usual Suspects
• LinkedIn profile

Interview video