[liberia]

It's hard to code secure PHP. When starting, I was like: 'So I can just pass a query parameter with <script>alert(1)</script> and do trivial XSS on random sites if I wanted to?' Smart PHP coders always sanitize, but for PHP newbies, it's easy to introduce some vulnerabilities if you don't do defensive coding practices.

There's things like directory traversal attacks too (putting ../../ in requests etc) which you have to prevent. PHP doesn't do it for you, you have to be very defensive with it. Which is why I use PHP sparingly and use Python and Perl more. Those languages even still have potential vulns, but not nearly as bad as the ones you can introduce in PHP IMHO.

[gregjor]

None of these are true of modern PHP, which is fairly old by now. It’s possible to write bad and insecure code in PHP, but that’s true of every web-oriented language and framework.

PHP in production runs behind Apache or Nginx, so directory traversal and similar attacks should get stopped there. In 20 years of working on PHP code I have never seen this particular vulnerability, though I can imagine how it might happen.

PHP has a bad reputation mainly because inexperienced programmers and even non-programmers choose it as the path of least resistance. Python code suffers from the same problem, though Python is not nearly as popular for developing web sites as PHP.

[punkpeye]

Both of those problems sound language-agnostic. Wouldn't Python/Perl enable the same vulnerabilities if unsanitized inputs are provided?