Can someone explain to me briefly the dangers of using PHP to host an online dictionary or glossary?
Thread poster: Michael Beijer
Michael Beijer
Michael Beijer  Identity Verified
United Kingdom
Local time: 15:58
Member (2009)
Dutch to English
+ ...
Nov 28, 2010

Question: Can someone explain to me briefly the dangers of using PHP to host an online dictionary or glossary?

There are a few open source projects that use PHP, but I know that PHP is known to be unsafe.

e.g.,

... See more
Question: Can someone explain to me briefly the dangers of using PHP to host an online dictionary or glossary?

There are a few open source projects that use PHP, but I know that PHP is known to be unsafe.

e.g.,

Glossword: http://sourceforge.net/projects/glossword/)
Open Translation Engine: http://sourceforge.net/projects/ote/

How exactly is it unsafe, and what exactly can happen if you use it anyway? That is, what are the exact dangers? Can your data be: deleted (I don't mind), copied (I don't mind). Can a hacker damage your host server/provider (I do mind)? Etc.

The reason I'm asking this is I want to use a ready-made solution because I simply don't have the time or the skills to code something myself, but I would prefer it to be: cheap (open source), and safe. Or at least as safe as possible.

Michael

[Edited at 2010-11-28 22:26 GMT]
Collapse


 
TvNellen (X)
TvNellen (X)
United States
Local time: 09:58
English to Dutch
+ ...
It can't be that bad Nov 28, 2010

(...) Most of these PHP-related vulnerabilities can be exploited remotely: they allow attackers to steal or destroy data from data sources linked to the webserver (such as an SQL database), send spam or contribute to DoS attacks using malware, which itself can be installed on the vulnerable servers.

These vulnerabilities are caused mostly by not following best practice programming rules (...)

(Wikipedia)

PHP is widely used (synoniemen.net,
... See more
(...) Most of these PHP-related vulnerabilities can be exploited remotely: they allow attackers to steal or destroy data from data sources linked to the webserver (such as an SQL database), send spam or contribute to DoS attacks using malware, which itself can be installed on the vulnerable servers.

These vulnerabilities are caused mostly by not following best practice programming rules (...)

(Wikipedia)

PHP is widely used (synoniemen.net, nederlandsewoorden.nl, to name a few sites I use), so I don't think you should worry too much about it.
Collapse


 
Stanislaw Czech, MCIL CL
Stanislaw Czech, MCIL CL  Identity Verified
United Kingdom
Local time: 15:58
Member (2006)
English to Polish
+ ...
SITE LOCALIZER
I've never heard of any dangers Nov 28, 2010

If you want to host a glossary online you will need a database and the pages displaying translations (on the basis of entries in this database) will have to be generated dynamically - as opposite to static HTML files.

I believe that using PHP is one of the safest ways way of achieving it.

Cheers
Stanislaw


 
Madeleine MacRae Klintebo
Madeleine MacRae Klintebo  Identity Verified
United Kingdom
Local time: 15:58
Swedish to English
+ ...
Thoughts from an amateur Nov 28, 2010

I think potential danger could come from using a form or similar. Unless the form has restrictions on which kind of data can be entered, you might find that your site is vulnerable to malicious code injection.

I never found the time to finish the PHP module in the web design course I studied recently, but I seem to remember that this was partly covered when we studied javascript.

This is what some who know more than me
... See more
I think potential danger could come from using a form or similar. Unless the form has restrictions on which kind of data can be entered, you might find that your site is vulnerable to malicious code injection.

I never found the time to finish the PHP module in the web design course I studied recently, but I seem to remember that this was partly covered when we studied javascript.

This is what some who know more than me have to say:

http://en.wikipedia.org/wiki/Code_injection
http://faq.1and1.com/scripting_languages_supported/malware/22.html
http://roshanbh.com.np/2007/12/sql-injection-attack-examples-and-preventions-in-php.html
Collapse


 
Michael Beijer
Michael Beijer  Identity Verified
United Kingdom
Local time: 15:58
Member (2009)
Dutch to English
+ ...
TOPIC STARTER
@Madeleine Nov 28, 2010

Yes, although I know very little about programming, I do keep hearing about this so-called SQL malicious code injection thing. That was one of the things that worried me when considering whether to use PHP and/or a MySQL database.

I have been told that ASP would be safer. Can someone who understands these things shed a little light on this subject, taking as an example, perhaps, Glossword, which seems to be the most actively developed open source solution available at the moment ...
... See more
Yes, although I know very little about programming, I do keep hearing about this so-called SQL malicious code injection thing. That was one of the things that worried me when considering whether to use PHP and/or a MySQL database.

I have been told that ASP would be safer. Can someone who understands these things shed a little light on this subject, taking as an example, perhaps, Glossword, which seems to be the most actively developed open source solution available at the moment ....(?)

I am working on gathering a few interested translators, in order to pool our resources to build an Online Glossary For and By Translators. So far, we have already collected a very large amount of Dutch-English-Dutch language data, and some German as well, and are now trying to evaluate what would be the best possible current open source solution for creating a multilingual online glossary platform.

Michael


p.s.: Glossword is a system to publish dictionaries, glossaries, and encyclopedias. It features an installation wizard, support for multiple languages, visual themes, multi-domain installation, an administrative interface with multi-user support, built-in search and cache engines, the ability to export/import dictionaries in XML format, and W3C-validated code. Glossword is useful for any sort of dictionary-like content, including sites with game cheat codes, online translators, references, and various kinds of CMS solutions. (from their freshmeat project description)
Collapse


 
Ramon Somoza
Ramon Somoza  Identity Verified
Spain
Local time: 16:58
Dutch to Spanish
+ ...
PHP by itself is not unsafe Dec 6, 2010

Or at least not more than any other programming language. And ASP is also vulnerable to code injection, let nobody tell you otherwise. IMHO, the most unsafe programming language is C.

I have quite a few sites written in PHP and using MySQL databases (see for example http://www.freelance-translator.info) and there's no problem at all.

The caveat is that you know what you do
... See more
Or at least not more than any other programming language. And ASP is also vulnerable to code injection, let nobody tell you otherwise. IMHO, the most unsafe programming language is C.

I have quite a few sites written in PHP and using MySQL databases (see for example http://www.freelance-translator.info) and there's no problem at all.

The caveat is that you know what you do and can program the code properly to prevent (at least the most evident) attacks. The attacks come mainly from interaction with the user, whereby hackers try to exploit flaws in your code.

One classic example is code injection: In its simplest form, it consists that an attacker writes code in a form. If your code simply copies over that text into a database query, you are providing an attack vector, as the text may have characters (such as quotes) that denote the end of the string, and might be used by the attacker to insert additional commands that would be inadvertently executed by your script.

The most basic and obvious way to counteract this is to "strip" every potentially dangerous character from the incoming text. Thus, if you want people to search for words, strip out any characters that are not between "a" and "z" (remember that lower and upper case are different) or a space. You may accept "0" to "9", but any other character is suspect unless proven innocent.



[Editado a las 2010-12-07 17:45 GMT]
Collapse


 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Can someone explain to me briefly the dangers of using PHP to host an online dictionary or glossary?







Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »
Pastey
Your smart companion app

Pastey is an innovative desktop application that bridges the gap between human expertise and artificial intelligence. With intuitive keyboard shortcuts, Pastey transforms your source text into AI-powered draft translations.

Find out more »