In 2019, 11% of all vulnerabilities listed by the National Vulnerability Database were connected with PHP; historically, about 30% of all vulnerabilities listed since 1996 in this database are connected with PHP. Technical security flaws of the language itself or of its core libraries aren’t frequent (22 in ’09 2009, about 1% of the total although PHP concerns about 20% of programs listed). Recognizing that programmers make mistakes, some languages include taint checking to automatically detect having less input validation which induces many issues. This attribute has been developed for PHP, but its inclusion in to a release offers been rejected often previously.
Source: PHP Operators
There are advanced protection patches such as Suhosin and Hardening-Patch, especially designed for web hosting environments.
Historically, old versions of PHP had some configuration parameters and default values for such runtime settings that made some PHP applications vunerable to security issues. Among these, magic_quotes_gpc and register_globals configuration directives had been the most effective known; the latter made any URL parameters become PHP variables, opening a path for serious security vulnerabilities by allowing an attacker to create the worth of any uninitialized global variable and hinder the execution of a PHP script. Support for “magic quotes” and “register globals” settings has been deprecated by PHP 5.3.0, and removed by PHP 5.4.0.
Another example for the potential runtime-settings vulnerability hails from failing to disable PHP execution (for example using the engine configuration directive) for the directory where uploaded files are stored; enabling it might bring about execution of malicious code embedded within the uploaded files. The very best practice is usually to either locate the image directory beyond the document root open to the net server and serve it via intermediary script, or disable PHP execution for the directory which stores the uploaded files.
Also, enabling the dynamic loading of PHP extensions (via enable_dl configuration directive) in a shared enviroment environment can result in security issues.
Implied type conversions that bring about different values being treated as equal, sometimes against the programmer’s intent, can lead to security issues. For example, the result of the comparison ‘0e1234’ == ‘0’ is true, because strings that are parseable as numbers are became numbers; in this situation, the first compared value is treated as scientific notation obtaining the value (0×101234), which is normally zero. Errors like this resulted in authentication vulnerabilities in Simple Machines Forum, Typo3 and phpBB when MD5 password hashes had been compared. The recommended way is to apply hash_equals() (for timing attack safety), strcmp or the identity operator (===), as ‘0e1234’ === ‘0’ results in false.
In a 2013 analysis of over 170,000 website defacements, released by Zone-H, the most regularly (53%) used technique was exploitation of file inclusion vulnerability, mostly associated with insecure using the PHP functions include, require, and allow_url_fopen.