open to work
PHP Security

Introduction to PHP Security

Youssef
17 May 2026

Introduction to PHP Security

What is PHP?

PHP (Hypertext Preprocessor) is a server-side scripting language designed primarily for web development. First released in 1994, it powers an enormous portion of the web — including WordPress, Drupal, Joomla, and countless custom applications. This massive adoption makes PHP applications a prime and historically rich attack surface.

PHP is interpreted, weakly typed, and runs with direct access to the filesystem, database, and system commands. These characteristics, while flexible for developers, introduce significant security risks when code is written carelessly.

PHP Execution Model

Understanding how PHP executes is fundamental to understanding its attack surface:

  • PHP receives a request from a web server (Apache, Nginx, etc.)
  • The interpreter parses and executes the PHP file
  • User input flows through $_GET, $_POST, $_COOKIE, $_SERVER, $_FILES
  • Output is sent back as HTML to the client
  • The process runs with the web server's OS user privileges
🔴

Key Risk: PHP runs with OS-level privileges. If an attacker achieves Remote Code Execution in a PHP application, they control the machine at the web server user level — often leading to full system compromise.

Dangerous Functions

PHP exposes a rich set of functions that are dangerous when fed with user-controlled input. These are the functions every security researcher should know by heart:

// Command execution
system()       exec()        passthru()
shell_exec()   popen()       proc_open()
`backtick`

// Code evaluation
eval()         assert()      preg_replace()  // with /e flag (deprecated)
call_user_func()   call_user_func_array()
create_function()  // deprecated but still encountered

// File operations
include()      require()     include_once()   require_once()
file_get_contents()  file_put_contents()  readfile()
fopen()        unlink()      rename()

// Serialization
unserialize()  // extremely dangerous with user input

// Network
curl_exec()    file_get_contents()  // with URLs enabled
fsockopen()    stream_socket_client()

Unsafe Defaults

Older PHP configurations (and many production servers still running them) have dangerous default settings:

  • register_globals (removed in PHP 5.4) — automatically created variables from GET/POST
  • magic_quotes_gpc (removed in PHP 5.4) — false sense of security
  • allow_url_include — enables RFI attacks
  • allow_url_fopen — enables SSRF via file functions
  • display_errors = On — leaks stack traces and paths
  • open_basedir not set — no filesystem restriction
  • disable_functions empty — all dangerous functions available
; php.ini - dangerous configuration
display_errors = On
allow_url_include = On
allow_url_fopen = On
; open_basedir =          ; not set = no restriction
; disable_functions =     ; not set = everything allowed

The Weak Type System

PHP's type system is notoriously loose. The == operator performs type coercion before comparison, which leads to a class of vulnerabilities known as Type Juggling. This is one of PHP's most unique and dangerous quirks from a security perspective.

// PHP loose comparison surprises
var_dump(0 == "a");         // true (in PHP < 8)
var_dump("1" == "01");      // true
var_dump("10" == "1e1");    // true
var_dump(100 == "1e2");     // true
var_dump("0e1234" == "0e5678"); // true — magic hash collision!
⚠️

PHP 8 Note: PHP 8 changed the behavior of == when comparing strings to numbers. Many type juggling attacks that worked in PHP 7 and below no longer work in PHP 8. Always check the PHP version when testing.

Why PHP is a Prime Attack Surface

  • Massive deployment — millions of outdated PHP applications running in production
  • Historical baggage — decades of insecure code patterns taught in tutorials
  • Flexible include system — LFI/RFI vulnerabilities are unique to PHP
  • Complex serialization — PHP object deserialization is notoriously exploitable
  • Shared hosting — misconfigured environments everywhere
  • CMS ecosystem — WordPress plugins alone represent thousands of potential entry points

PHP Version Landscape

As of 2025, a significant portion of PHP deployments still run unsupported versions. PHP 5.x reached end-of-life in December 2018, yet remains in production on many servers. PHP 7.x EOL was November 2022. Only PHP 8.1, 8.2, 8.3, and 8.4 receive active support.

📋

During a pentest: Always identify the PHP version first. Running phpinfo() exposure, error messages, or HTTP headers (X-Powered-By: PHP/7.x) can reveal it. Old versions mean known CVEs you can leverage directly.

What's Next

This introduction sets the foundation. The following articles dive deep into each vulnerability class:

  • Exhaustive list of PHP vulnerabilities
  • SQL Injection in PHP
  • LFI / RFI — Local and Remote File Inclusion
  • PHP Object Deserialization & POP Chains
  • Type Juggling & Loose Comparisons
  • RCE via dangerous PHP functions
  • XSS in PHP applications
  • SSRF in PHP

Mindset: When auditing a PHP application, always follow the data. Trace every user-controlled input from entry point ($_GET, $_POST, headers, cookies) through all transformations, to every sink (function that acts on it). That path is where vulnerabilities live.