178: Writing secure PHP - meet Chris Cornutt

PHP security expert and member of the Global Cybersecurity Group at Hewlett Packard, Chris Cornutt and I had the chance to meet in person at PHP World 2014, in Washington, D.C. We compared notes on the "PHP Renaissance", looking over other projects' shoulders, sharing code, and PHP security basics.

PHP: easy, useful, friendly ... a little dangerous

Chris says PHP's ease of use ("It's really easy to get everything set up and running. You don't have to compile it; it's nice. It's refreshing to work with after working with some other languages.") and its friendly, welcoming community have played a big part in his staying with it all these years, but that his favorite thing about the language itself is its flexibility. "Which, unfortunately, sometimes is its downfall ... It's really easy to do really bad things with PHP."

I suspect all of the above feeds Chris's interest in PHP applications security, which has been his focus for the last few years. He describes reading Chris Shiflett's 2005 book, Essential PHP Security, from cover to cover and laments that, "unfortunately, a lot of that stuff is still relevant today ... A couple of years ago I decided that was where I wanted to go. That was the niche I wanted to fill. I write articles, I speak at conferences [he also writes books]. It's been very enlightening at times about all the stuff that is out there ... and all the problems. But I try to do my best to educate people and write the most secure code I can."

PHP's interoperable future

I proposed that Drupal 8 is setting a good example of what the future of PHP looks like: embracing best-of-breed solutions, wherever they may come from and concentrating on its specialties. Chris agrees, "It's really good. Composer is still a relatively recent thing, but to see the [Drupal] project latch on to that and say, 'This right here is where the future of PHP is going. We need to integrate this or we're going to be obsolete and stay in our own, little silo forever.' It's good to see."

"I hope this keeps going. It's good to see various kinds of packages coming up on the PHP side as the standardized [solution] for certain things. I hope to see Drupal and maybe even Wordpress come in and say, 'This is good. We need to reuse this.'" Bojan Živanović, Drupal Commerce 2.x co-maintainer, is setting a great example of this thinking. He has released a number of commerce-relevant PHP libraries for use in Drupal Commerce 2 and any other PHP projects that want to take advantage of them.

Secure PHP in four words

I challenged Chris to tell me how to write secure PHP in one sentence. He gave me just four words as an answer: "Filter input, escape output ... That's the biggest things right there." Chris wanted me to be clear on a little more than this, though. "There are some language specific things. Filter input escape output works for any language, not just PHP, but the way that you do that, the implementation of that is more specific to the language itself."

PHP security resources

Here are some resources to learn more about PHP application security:

Guest dossier

Interview video

Also in the Future of PHP series

  1. Future of PHP series landing page
  2. Perspectives on the future of PHP – "The Future of PHP" series intro, Jeffrey A. "jam" McGuire
  3. The future of PHP ... at a distance – Lukas Kahwe Smith
  4. Composer – Dependency Management in PHP – Lorna Mitchell
  5. The Future of PHP is Shared Power Tools – Ryan Weaver
  6. PHP is getting Faster – Richard Miller
  7. PSR-What? Shared Standards for a Bright Future – Lorna Mitchell
  8. Voices of the ElePHPant / Acquia Podcast Ultimate Showdown Part 1 & Part 2 - Acquia Podcast audio/video with Cal Evans and Jeffrey A. "jam" McGuire
  9. PHP: Under the Hood, Running the Web - Michelangelo van Dam
  10. A Symfony Shop Embraces Drupal 8 & Gets Down to Business - Acquia Podcast audio/video interview with Chris Jolly
  11. Building Bridges, Linking Islands - Larry Garfield
  12. Drupal & PHP: Linking Islands, the podcast – Part 1 & Part 2 - Acquia Podcast audio/video interview with Larry Garfield
  13. PHP: Getting the job done, really easily – Acquia Podcast audio/video interview with Stephan Hochdörfer
  14. Get more done, better & faster – together. – Acquia Podcast audio/video interview with Dustin Whittle
  15. New Wave PHP – Audio/video interview and conference session presentation with Lorna Jane Mitchell
  16. Writing secure PHP: "F.I.E.O." and more – Acquia Podcast audio/video interview with Chris Cornutt
  17. PHP: The entire world is your development team – Beth Tucker Long – Acquia Podcast audio/video interview