People who say “PHP is insecure” are uninformed

I hear a lot of folks parrot the opinion that PHP is somehow less secure than other languages. This simply isn't true. Here's why.

Almost daily, I see someone making a crack at PHP, implying that apps written in PHP are somehow less secure than other languages.

Here’s the thing: they’re not.

Where does the idea stem from?

I have a few theories about why people think PHP is less secure than other languages. I’m going to address all of them.

People’s perception of PHP is outdated by 15+ years

Back in the early days of PHP, it was one of the few options for web-based languages, and probably the best. This was also an age where security was more of an afterthought, so vulnerabilities were everywhere. This wasn’t specific to PHP; rather, it was a general lack of awareness regarding security in that era.

Many older security professionals began their careers by finding vulnerabilities in websites during the 90s and early 00s, back when PHP powered pretty much everything. Now when they see PHP it just feels vulnerable because they’re equating PHP with the vulnerability of 15+ year old web applications.

You see, PHP has stood the test of time, and it still powers most of the internet today. You can’t say the same about ASP, JSP, ColdFusion or Perl, which were the other popular web languages that were available 20 years ago. We have to give a shoutout to ASP though, which has been modernised with C#, .NET, ASP.NET.

You don’t notice it’s PHP unless you see a .php extension

In the early days of web applications we would split PHP code into different files and access those files directly. For example if you wanted to visit the “about” page of a website, it would probably be located at /about.php. The user would navigate to example.com/about.php, which would execute the about.php file on the server-side and return the result.

Modern applications are much more likely to use application-level routing to forward requests to the right section of code within their application. When we use routing in this way, there is no need to have .php extensions visible in the URL, so we omit them.

The vast majority of modern PHP applications don’t show .php extensions in the URL. For this reason, you’re unlikely to notice that an application runs on PHP unless it’s a really old application. In this case, once again, the application is more likely to be vulnerable because it’s old, not because it uses PHP. The same goes for a .asp extension, for example.

Examples of vulnerable code are often written in PHP

If you’ve ever done any appsec training, there’s a very good chance that you’ve seen PHP being used to demonstrate vulnerable code. For example, how many times have you seen this XSS demo?

<?php echo "Hello " . $_GET['name'] . "!"; ?>

The truth is, PHP is often chosen as a language to demonstrate vulnerabilities simply because PHP was the language where most of these vulnerabilities were first discovered – not because PHP is somehow more vulnerable, but because PHP was one of the few server-side web languages that existed back then.

Just by training security professionals with vulnerable code snippets in PHP, we have inadvertently trained them to feel that PHP is somehow less secure.

People compare raw PHP with full web frameworks

For some reason, when people argue that PHP is less secure, they often compare raw PHP with a web framework in another language, rather than comparing the two raw languages against each other (e.g. PHP vs. JS). For example, I have seen people comparing raw PHP with Next.js.

This makes absolutely no sense.

In fact, the closest equivalent to Next.js in the PHP world is probably Laravel, and anyone who has used Laravel knows that it is amazing, modern and just as secure as any other popular framework in any language.

PHP is very easy for beginners

Creating a web application with PHP can be as easy as writing a PHP file in notepad.exe and uploading it to a web server. There’s very little prerequisite knowledge required. This is very encouraging for beginner coders, but beginner coders are the ones most likely to write insecure code! As a result, there’s a lot of bad PHP code out there.

I also think that many developers who are experienced today probably started their web development journey with PHP. The code that they wrote when they started was likely filled with vulnerabilities because they weren’t experienced developers yet. Rather than blame their own inexperience, they blame the language they used. “A poor worker blames his tools”, as they say.

Is this PHP’s fault? No! In fact, I’d say that being beginner-friendly is probably a net positive. Important production code is rarely written by beginners.

People don’t know about Laravel

It still blows me away how many cybersecurity folks have never heard of Laravel. Or any PHP frameworks for that matter. They hear “PHP” and assume that people are just writing raw PHP.

I consider Laravel to be one of the most robust, modern, developer-friendly frameworks out there today. It even has a healthy ecosystem of pre-made starter kits, testing suites, managed hosting solutions, local dev environments, admin dashboards, auth flows, debugging interfaces and much more.

Modern frameworks like Laravel attempt to shield developers from writing vulnerable code by using secure defaults. For example, the Blade templating engine in PHP will HTML encode variable output by default, thwarting XSS vulnerabilities unless the developer explicitly disables it.

People are ignorant/uninformed

More than anything, when I hear someone imply in 2023 that PHP is somehow more insecure than other languages, it tells me that they are simply ignorant or uninformed. They’re parroting an inaccurate opinion that has somehow stuck around for decades.

If you’re still sure that PHP is an “inherently insecure” language, then I’d encourage you to try finding 0days in some long-standing popular PHP apps like WordPress or phpBB. Good luck!