PHP is a popular target of hackers who exploit vulnerable applications written in PHP. Software vulnerabilities related to PHP are identified among the CVE (Common Vulnerabilities and Exposures) records, available from the National Vulnerability Database. The proportion of vulnerabilities related to PHP, out of the total of all common vulnerabilities, amounted to: 12% in 2003, 20% in 2004, 28% in 2005, 43% in 2006, 36% in 2007, and 33.8% for the first quarter of 2008. More than a quarter of all software vulnerabilities listed in this database are related to PHP, and more than a third of vulnerabilities listed recently. Most of these vulnerabilities can be exploited remotely, that is without being logged on the computer hosting the vulnerable application. Such exploitation is made possible due to poor programming habits, such as failing to check data before entering it into a database, and features of the language such as
register_globals, which is now deprecated. These result in code injection, cross-site scripting and other application security issues. It's important to note that none of these attacks are exclusive to PHP and all are avoidable by following proper coding techniques and principles.