The proportion of insecure software written in PHP, out of the total of all common software vulnerabilities, amounted to: 12% in 2003, 20% in 2004, 28% in 2005, 43% in 2006, 36% in 2007, and 33.8% for the first quarter of 2008. More than a third of these PHP software vulnerabilities are listed recently. Most of these software vulnerabilities can be exploited remotely, that is without being logged on the computer hosting the vulnerable application. The most common vulnerabilities are caused by not following best practice programming rules and vulnerabilities related to software written in old PHP versions. One very common security concern is register_globals which was disabled by default since 2002 in PHP 4.2.
There are advanced protection patches such as Suhosin and Hardening-Patch, especially designed for web hosting environments. Installing PHP as a CGI binary rather than as an Apache module is the preferred method for added security.
Security
