Can someone explain to me briefly the dangers of using PHP to host an online dictionary or glossary?
Thread poster: Michael Joseph Wdowiak Beijer

Michael Joseph Wdowiak Beijer  Identity Verified
United Kingdom
Local time: 06:43
Member (2009)
Dutch to English
+ ...
Nov 28, 2010

Question: Can someone explain to me briefly the dangers of using PHP to host an online dictionary or glossary?

There are a few open source projects that use PHP, but I know that PHP is known to be unsafe.

e.g.,

Glossword: http://sourceforge.net/projects/glossword/)
Open Translation Engine: http://sourceforge.net/projects/ote/

How exactly is it unsafe, and what exactly can happen if you use it anyway? That is, what are the exact dangers? Can your data be: deleted (I don't mind), copied (I don't mind). Can a hacker damage your host server/provider (I do mind)? Etc.

The reason I'm asking this is I want to use a ready-made solution because I simply don't have the time or the skills to code something myself, but I would prefer it to be: cheap (open source), and safe. Or at least as safe as possible.

Michael

[Edited at 2010-11-28 22:26 GMT]


Direct link Reply with quote
 
TvNellen
United States
Local time: 00:43
English to Dutch
+ ...
It can't be that bad Nov 28, 2010

(...) Most of these PHP-related vulnerabilities can be exploited remotely: they allow attackers to steal or destroy data from data sources linked to the webserver (such as an SQL database), send spam or contribute to DoS attacks using malware, which itself can be installed on the vulnerable servers.

These vulnerabilities are caused mostly by not following best practice programming rules (...)

(Wikipedia)

PHP is widely used (synoniemen.net, nederlandsewoorden.nl, to name a few sites I use), so I don't think you should worry too much about it.


Direct link Reply with quote
 

Stanislaw Czech, MCIL  Identity Verified
United Kingdom
Local time: 06:43
Member (2006)
English to Polish
+ ...
I've never heard of any dangers Nov 28, 2010

If you want to host a glossary online you will need a database and the pages displaying translations (on the basis of entries in this database) will have to be generated dynamically - as opposite to static HTML files.

I believe that using PHP is one of the safest ways way of achieving it.

Cheers
Stanislaw


Direct link Reply with quote
 

Madeleine MacRae Klintebo  Identity Verified
United Kingdom
Local time: 06:43
Swedish to English
+ ...
Thoughts from an amateur Nov 28, 2010

I think potential danger could come from using a form or similar. Unless the form has restrictions on which kind of data can be entered, you might find that your site is vulnerable to malicious code injection.

I never found the time to finish the PHP module in the web design course I studied recently, but I seem to remember that this was partly covered when we studied javascript.

This is what some who know more than me have to say:

http://en.wikipedia.org/wiki/Code_injection
http://faq.1and1.com/scripting_languages_supported/malware/22.html
http://roshanbh.com.np/2007/12/sql-injection-attack-examples-and-preventions-in-php.html


Direct link Reply with quote
 

Michael Joseph Wdowiak Beijer  Identity Verified
United Kingdom
Local time: 06:43
Member (2009)
Dutch to English
+ ...
TOPIC STARTER
@Madeleine Nov 28, 2010

Yes, although I know very little about programming, I do keep hearing about this so-called SQL malicious code injection thing. That was one of the things that worried me when considering whether to use PHP and/or a MySQL database.

I have been told that ASP would be safer. Can someone who understands these things shed a little light on this subject, taking as an example, perhaps, Glossword, which seems to be the most actively developed open source solution available at the moment ....(?)

I am working on gathering a few interested translators, in order to pool our resources to build an Online Glossary For and By Translators. So far, we have already collected a very large amount of Dutch-English-Dutch language data, and some German as well, and are now trying to evaluate what would be the best possible current open source solution for creating a multilingual online glossary platform.

Michael


p.s.: Glossword is a system to publish dictionaries, glossaries, and encyclopedias. It features an installation wizard, support for multiple languages, visual themes, multi-domain installation, an administrative interface with multi-user support, built-in search and cache engines, the ability to export/import dictionaries in XML format, and W3C-validated code. Glossword is useful for any sort of dictionary-like content, including sites with game cheat codes, online translators, references, and various kinds of CMS solutions. (from their freshmeat project description)


Direct link Reply with quote
 

Ramon Somoza  Identity Verified
Spain
Local time: 07:43
Member (2002)
Dutch to Spanish
+ ...
PHP by itself is not unsafe Dec 6, 2010

Or at least not more than any other programming language. And ASP is also vulnerable to code injection, let nobody tell you otherwise. IMHO, the most unsafe programming language is C.

I have quite a few sites written in PHP and using MySQL databases (see for example http://www.freelance-translator.info) and there's no problem at all.

The caveat is that you know what you do and can program the code properly to prevent (at least the most evident) attacks. The attacks come mainly from interaction with the user, whereby hackers try to exploit flaws in your code.

One classic example is code injection: In its simplest form, it consists that an attacker writes code in a form. If your code simply copies over that text into a database query, you are providing an attack vector, as the text may have characters (such as quotes) that denote the end of the string, and might be used by the attacker to insert additional commands that would be inadvertently executed by your script.

The most basic and obvious way to counteract this is to "strip" every potentially dangerous character from the incoming text. Thus, if you want people to search for words, strip out any characters that are not between "a" and "z" (remember that lower and upper case are different) or a space. You may accept "0" to "9", but any other character is suspect unless proven innocent.



[Editado a las 2010-12-07 17:45 GMT]


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Can someone explain to me briefly the dangers of using PHP to host an online dictionary or glossary?

Advanced search







LSP.expert
You’re a freelance translator? LSP.expert helps you manage your daily translation jobs. It’s easy, fast and secure.

How about you start tracking translation jobs and sending invoices in minutes? You can also manage your clients and generate reports about your business activities. So you always keep a clear view on your planning, AND you get a free 30 day trial period!

More info »
Wordfast Pro
Translation Memory Software for Any Platform

Exclusive discount for ProZ.com users! Save over 13% when purchasing Wordfast Pro through ProZ.com. Wordfast is the world's #1 provider of platform-independent Translation Memory software. Consistently ranked the most user-friendly and highest value

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search