PHP Security Tip #16
Keep Your Framework Up to Date
I have posted it before as comment, but since I believe that this is a very important issue, it might be worth a ‘security tip’ of its own:
Make sure any framework you are using is updated regularly.
This is especially important if you are working on a ‘one-shot’ client project. It is important to think about who is going to maintain the site if (or rather: when) a security patch is issued for any of the 3rd party files.
Usually, these sites are placed on a shared hosting site, and that means the provider is responsible for keeping PHP, database system, web server, etc. up to date – but they will probably not maintain the frameworks you have installed.
Using frameworks is generally a good idea – not only because they take a lot of the work away from you, but also because any potential security issue will (usually) quickly be dealt with.
On the other side, this means that security issues in these frameworks are very well documented – and it is all to easy for a malicious hacker to search for old versions of the framework in use, and exploit these problems.
I have seen many, many sites which are still using extremely old and outdated files – simply because there is nobody there to update it. And I’m talking about old PEAR installs (with known issues with the ‘Mail’ component) and worse!
Even if it’s not you who has to pay the bill for excess server traffic – it might be your mailbox that receives some of the spam sent from this server!
Comments
I often wonder what the benefits are, I frequent various forums and 9 out of 10 queries for help will be using an implementation of a framework and they have a problem that they cannot solve.
I do not see any benefit in using them, it is nothing more than an interpreter layer between the program code and PHP, if you forgot about it and went straight to the core language PHP, you eliminate the biggest part of your programming nightmares and problems.
You have to rely on the programming skills of others and that they have not left any security issues lurking in wait to be exploited or any bugs in the code that you use.
The people that ask questions in the forums all tackle it from the aspect of a PHP problem without realising that its the framework that is posing the problems.
In my book code directly in the native language which will run faster, consume less resources, be less prone to runtime issues and you don't have to constantly bog yourself down with keeping up to date with updates, installing updates and then correcting or rewriting scripts constantly to correct for mistakes, at least with PHP you know instantly if you have made any mistakes and can easily track them down in your scripts.
I for one am not a fan of these frameworks, each to their own I suppose.