DEV Community


Discussion on: Choosing PHP in 2018

perttisoomann profile image
Pert Soomann

This is pretty good place to start:

Even new CodeIgniter refers back to OWASP

Could be that because PHP entry level is so low, you do have a lot of people that haven't got their fingers burned yet.

It really needs to be multi-level approach, as if your sys admin (if that's separate person) doesn't do server bit, the app is still wide open for abuse.

If you are considering writing an article, I'd sure be interested in reading it.

Thread Thread
tadman profile image
Scott Tadman

You can SQL inject in any language, absolutely, but it seems like the drivers that ship by default with others have examples with placeholder values as a rule. While the official PHP documentation does a great job of walking people through how to use things like PDO or mysqli, these pages are buried SEO-wise by a metric ton of junk that doesn't, especially in the YouTube department.

The PHP world has an unusually high number of frameworks, maybe a dozen depending on your definition. In the Ruby world we've got basically two. Python? Three-ish. Node? Everything builds on Express.js. PHP has so much choice!

Thread Thread
tadman profile image
Scott Tadman

I think the problem is so pervasive, it's basically endemic to large parts of the PHP world, that it calls for some kind of intervention. An article won't be enough. This requires a pretty serious effort to disrupt what the current top-ranking results are for common inquiries like "how to php mysql" and such.

As much as I appreciate OWASP, it's a bit too theoretical for most people to absorb, especially newcomers who just want a how-to type introduction. It's at that point they're the most vulnerable to bad advice.

Thread Thread
restoreddev profile image
Andrew Davis Author

It’s hard to turn the direction of a large ecosystem, but it would probably take creating something like a PHP security initiative which would provide high quality documentation and videos that would become the reference point for good security. It would have to be something the whole community can get behind.

I think frameworks have made the situation much better since they have more secure defaults. However, developers need to be able to understand what the framework provides so they use it appropriately.