DEV Community

loading...

Discussion on: Choosing PHP in 2018

Collapse
tadman profile image
Scott Tadman

I've been trying to push for this more on places like Stack Overflow but there's a surprising amount of resistance to the very idea, something that I find is relatively unique to PHP.

I get a lot of "this is just for testing, security can come later" and "I want to learn, I don't want a framework to dumb it down for me" as push-back, which is not always easy to address.

PHP desperately needs more security and framework proponents.

Thread Thread
perttisoomann profile image
Pert Soomann

So it's more developer issue than issue related to PHP itself - any language can cause SQL injection, if you pass data straight from user to DB query as is.

I do relate to push-back somewhat tho, 8-9 years ago my attitude was "I can do it, why do I need a framework for?!", because I desperately needed to prove I was worthy in the company, but now... Not sure I can even write raw PHP anymore without help of a framework, it just makes it much quicker :)

Thread Thread
restoreddev profile image
Andrew Davis Author

StackOverflow is a tough place to change opinions. A lot of people on there have unwelcoming attitudes. Unless you are making a really small website, there is no reason to not use a framework. Even for a small site I would recommend using something like Slim. Not taking security seriously is pandemic to all of programming, but it feels worse in PHP. I do wish there were more books or sites that focus on PHP security. It’s something I have thought about writing.

Thread Thread
perttisoomann profile image
Pert Soomann

This is pretty good place to start:
owasp.org/index.php/PHP_Security_C...
owasp.org/index.php/PHP_Configurat...

Even new CodeIgniter refers back to OWASP
bcit-ci.github.io/CodeIgniter4/con...

Could be that because PHP entry level is so low, you do have a lot of people that haven't got their fingers burned yet.

It really needs to be multi-level approach, as if your sys admin (if that's separate person) doesn't do server bit, the app is still wide open for abuse.

If you are considering writing an article, I'd sure be interested in reading it.

Thread Thread
tadman profile image
Scott Tadman

You can SQL inject in any language, absolutely, but it seems like the drivers that ship by default with others have examples with placeholder values as a rule. While the official PHP documentation does a great job of walking people through how to use things like PDO or mysqli, these pages are buried SEO-wise by a metric ton of junk that doesn't, especially in the YouTube department.

The PHP world has an unusually high number of frameworks, maybe a dozen depending on your definition. In the Ruby world we've got basically two. Python? Three-ish. Node? Everything builds on Express.js. PHP has so much choice!

Thread Thread
tadman profile image
Scott Tadman

I think the problem is so pervasive, it's basically endemic to large parts of the PHP world, that it calls for some kind of intervention. An article won't be enough. This requires a pretty serious effort to disrupt what the current top-ranking results are for common inquiries like "how to php mysql" and such.

As much as I appreciate OWASP, it's a bit too theoretical for most people to absorb, especially newcomers who just want a how-to type introduction. It's at that point they're the most vulnerable to bad advice.

Thread Thread
restoreddev profile image
Andrew Davis Author

It’s hard to turn the direction of a large ecosystem, but it would probably take creating something like a PHP security initiative which would provide high quality documentation and videos that would become the reference point for good security. It would have to be something the whole community can get behind.

I think frameworks have made the situation much better since they have more secure defaults. However, developers need to be able to understand what the framework provides so they use it appropriately.