New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@jsg you are just a fan boy. Actual no experience whatsoever and your writing proves it.
In computer science or software engineering when we talk about how one language is better than another we use actual code samples and proof of concept. We don't rely on opinions.
In LET we use chitchat and trolling to prove a point. Please adapt.
Thanks a lot for continuing to make me laugh and also for sharing what you've read about the world of computer science and software engineering!
I think that now, that I'm beginning to see the light thanks to you, I'll throw away what the profs taught me, what I myself taught, and also all the scientific papers and experience. Who needs math or formal tools when one can simply use the PHP lotto generator?
Thanks!
Not fair, and inaccurate about his experience.
I think it's fairer to say that @jsg only considers secure what can be proven secure, which is a level of analysis that 99% of LET readers have not been exposed to.
I understand his point. There are practices and tools that allow a developer to write provably secure code - provable in a mathematical sense that all execution paths are checked and it is impossible for the program to do something that would surprise the author. By definition this limits one to (a) statically typed languages, and (b) languages that these tools support. (This is not my field so I may be misstating something so feel free to correct @jsg).
On that basis, I agree with his assessment of PHP.
In the general developer community and some comments here, I reject the idea that PHP is inherently less secure than perl, python, ruby, javascript, or other languages typically used in web development. Generally when someone says "PHP is insecure," in their next sentence they're recommending javascript or python, not Ada.
Yeah since you mention Laravel, here are some PHP servers vs Go servers.
Hopefully you'll notice a bit of difference between 36k and 7 million.
PHP is not really recommended for high concurrent/traffic sites.
https://www.techempower.com/benchmarks/#section=data-r19&hw=ph&test=plaintext
Sure, if you limit yourself to a single web server.
There are high traffic sites running Wordpress for pity's sake.
Yes
Correct in theory. In practice there are always some ugly corners, some of which aren't even in any way predictable. So it is possible, even with verified and proven to be sound code, that something ugly happens, although it's extremely less likely.
Yes, correct (albeit not complete. But damn good enough for here)
Well, depends. One example: There are (reasonably safe) language that output javascript code but afaik none that output checked and reasonably safe PHP (or Perl or ...) code.
And No, I wouldn't recommend javascript or Python for sensible Projects although they are (objectively) a bit better than PHP (but then that's saying an almost blind is better than a blind person).
FWIW while I personally would rarely pick that route, Ada can be a solid albeit quite cumbersome basis due to AWS (Ada Web Server, not the Amazon service).
Correct - but speed/performance isn't the issue we discuss.
Is security really important when we talk about blogging? I mean, I would never look at the software documentation for WordPress.
There're a terms call "Computationally secure" in security, means the cost to breaking my blog exceeds the value of the blog itself.
@raindog308 I agree with what you are stating. PHP is as vulnerable as any other language. Vulnerabilities most of the time comes from common developers failing to adhere to secure practices mainly because they don't have the experience. Sometimes even frameworks have vulnerabilities. Any language have vulnerabilities, even c# net framework and core, VB, etc. It all has issues.
But the real point here and mainly the reason of why I don't agree with this people (@jsg and the other one @Jona4s ) is because as a developer or engineer you can't really judge a language by word of mouth. If you as a developer are going to say PHP sucks, then the minimum I expect is: "PHP is not good because.... A , B and C and here is the source and proof and I've been developing in PHP for the last 10 years and based on the recent PHP8 release and blah blah I don't see any competencies and see major flaws in X , Y, Z."
People judging PHP because WP is based on it and people developing plugins sometimes do shit code and have vulnerabilities. PHP != WP. Same as C# is not at fault for any shit code you as developer do.
I expect that person criticizing PHP to know what laravel, code igniter, symfony, yii , slim ARE and have PROVEN experience with them before saying making big statements about the state of a language.
I like proven statements, I don't like people that generalize doing big statements like the ones being said in previous replies out of ignorance. I also don't expect much since this is LET but computer science, is a science and when we talk about science we are not supposed to be opinionated but instead present evidence to prove claims.
Are we talking about security? Let's discuss it using the code documentation and present PoC.
Is it performance, let's compare code and measure.
Is it scaling? the same applies.
The more you know (EDIT /ADDED):
@Jona4s Facebook proved you wrong I guess. Ever heard about "Hack" based on PHP ? I don't need to actually explain how massive is FB user base. Research their stack, you will learn one or two things. Such massive network running with PHP on its back-end like a champ.
Feel free of course to perceive reality how you like and to then arbitrarily add a layer of very subjective interpretation on top, but, sorry, bad news for you: reality doesn't care.
And my neighbors wife expects flowers ... so what.
Funnily, most of what you say has not been my line of argument.
... yet you ignore them ...
... says the guy who actually cares about proofs and science about as much as a cow cares about paintings and in fact even attacks those who actually do.
"Hxxx believes! != science.
Thanks for the example. "PoC" is a term that hardly ever is used in the security field or in (serious) computer science. "Proof", "formal verification" and "math" however are important and frequently mentioned. But thanks again for amusing me again, e.g. by mentioning "code documentation" and other mental artifacts of a clueless amateurs imagination of "how real professionals do it".
P.S. Unless you want me to really pick your nonsense apart I suggest you stop.
@jsg where is the mathematical proof in your replies? . Again remind us what's your PhD degree and other qualifications are?
For my amusement lets continue. I'll start by letting you know what PoC means: https://en.wikipedia.org/wiki/Proof_of_concept
OK, you asked for it ...
... but ...
Evidence?
Evidence?
Hahahaha!, who woudda thought that ...
Evidence?
Hahahaha!, so this is the "best in terms of security" in your clueless small world ...
We didn't.
We did. You just ignored it.
Sorry to hurt you but you know in the real world it's done very differently.
Time period != Experience and competence.
I didn't
bla bla, and nights are darker than days
I didn't say that
Well, actually a language can make it harder or easier to produce correct or buggy code.
Logic error. One can judge PHP (or any language) without knowing frameworks, libraries, etc.
Actually that's not even needed (but helpful). One can judge a language purely formally.
But you can of course expect that just like you can expect women to jump at you (don't hold your breath though)
I may have overlooked it. Any evidence for that statement?
So you dislike yourself? Sad!
You mean to say that we are stupid?
Congrats! You spotted the word "science" in "computer science". Brillant.
We did. And you, why don't you meet your own expectation?
I propose to amend the rules and replace "Politics" with "Politics or PHP"
@jsg so sad , here I thought you were actually a person with knowledge. I'll give you another try. You keep referring to math on and on. Please for our understanding and the benefit of the community, explain to us with a concept or example your findings on PHP's security. What are your findings?
Care to also share some light about your qualifications? I mean to talk with such certainty surely you have a deep background in software engineering, what's your PhD? How many year actually developing with PHP?
In the end you are just adding non-sense and there is little evidence to your claim. I mean damn I even read your interview on LEB, found you to be not qualified to make such dev language claims. But hey it is what it is.
PS:
I'm here chilling having a nice Sunday. Actually expecting a smart conversation and not only opinions which is what we all have shared so far. Also this is all respectfully , you surely know I don't care about your opinion of PHP and is not personal.
No, your ad hominem attempt won't help you.
As for my qualifications: I strived for a degree in digging holes in gardens but I failed. Regarding computers: a friend of mine once had an Amiga and I sometimes watched him doing weird stuff on that Amiga thing while I was digging holes in a garden.
Care to provide some of the requested evidence, Mr. "I wanna see proof"?
@jsg cool, fair enough, honestly I did gave you the benefit of the doubt and said, uhm maybe I'm reading wrong, he can't just be trolling you know... So I read all your replies again but still failed to see the part where you actually mentioned a fact about PHP being so insecure ( it never happened). I guess it is what it is. Cheer, have a good one.
I would like to add that if the conversation was "PHP sucks because if your server gets compromised your code is all exposed", I would certainly say, heck yeah I agree. There is a clear disadvantage on languages that are interpreted versus compiled.
If you couldn't make the grade in hole-digging, perhaps a lateral transfer to the weeding department?
I'd be happy to sponsor your studies by providing real-world experience in my garden, free of charge.
What a lovely and generous offer, thank you so much!
But to be honest I failed so miserably that I have given up all hope in any type of garden work. Meanwhile I have been invited/asked to and am doing a standard interface to static analysers (yes, such a lib really exists and supports Z3 and quite a few others) for a programming language since quite a while.
Far less attractive than a degree in digging holes in gardens, granted, but I guess we all have to cope with our limitations.
Exactly. My question wasn't related to some banking app of whatever, but was about a specific software dedicated to blogging that was in PHP. The focus on security was present even though it was in PHP: the devs didn't say PHP is the best language of the world for security or shit like that, their goal was to do something as secure as possible (following best practices, having a strong signature system for upgrades and plugins and stuff like that), while using PHP.
Well, actually that was not what you asked for. What you asked for was
And that's why I wrote in this thread.
But, by all means, if a somewhat kind of like "secure" PHP based blog is what you want, then go ahead, no problem.
Finally you cleared the misunderstanding. So what you actually want is what professionals call "largely security theater" and in PHP please, because that's what you know and/or what you know how to configure (server config, etc). But kindly do not talk about "strong focus on security" because if you do I feel addressed and would need to shake e.g. the "strong signature system" (in PHP? Seriously? Hahaha) shroud.
(And No, I'm not generally and absolutely against PHP based blogs. In fact I myself run a WP site - but then, I don't have any wet dreams about it being somehow "secure". It is not secure but in my case it need not be)
You're joking, right? Or just trolling maybe? That's exactly what I was asking:
You'll note that the "misunderstanding" was cleared in my first post:
Only "finally" (to use the same word as you) did I ask for another good alternative, in case nobody did remember that post and/or the guy who posted about this wasn't around anymore:
Anyway I expected this kind of "php is insecure" conversation to pop up, and I don't mind, it's always interesting. But my question clearly wasn't "is php the best language to build a super secure app?". (And LET had a similar discussion/thread in the past on that topic).
What I want basically is to find the name of a specific project. If nobody knows this, a couple of recommendation for interesting php based blogging system that will do their best to provide something secure. No problem if "professionals" call that "security theater". No problem if l33t h4xxorz find it inherently insecure or might hack it.
I asked about PHP because as I was looking for a specific app in PHP I wanted people to be able to give other names in case they didn't remember the post I was referring to. If you have something to recommend on another language, I'd be interested to know about it as well, and I might actually use it, even though that was not what my OP was about.
It's not that important but I was curious to check out this project as from what I remember they tried to focus on security rather than features, and I liked their approach. Sounded like the perfect software for a low maintenance minimalist blog with more possibilities (easy comment integration for example) than a fully static one.
@pbx
(a) No, not joking. I quoted you
(b) No problem, I'm not criticizing you nor PHP per se, as long as it's not in the context I understood it to be.
Anyway, good luck finding what you are looking for.
Right, but you forgot a bunch of words, which had some meaning...
Thanks! Hope I'll find it or it might be a sign to move on and stay far from PHP for this project
edit: they presented their project as having being PHP based, with a strong focus on security. I understand that this can make you or some folks here consider that this doesn't make any sense. It's fine, but again it's for a blog so in my opinion (and obviously the authors of the code's one as well) php can do the job, even if it's clearly not the best language for "security".
As far as security is concerned, wordpress with no plugin could be fine for this project. But I'd rather use something different, and I'd prefer this cms/blog to focus on security and to have a proper mechanism for security updates.
@pbx if you can consider Wordpress but by being carefully with the plugin selections and making sure that both the server and wordpress are "security hardened" , you will have no issues. For best results I recommend installing Wordfence (even the free version, if pro... better). It works very efficient and with the WAF (that it includes) properly configured, that thing will rip any attack easy. In fact you will be able to see all the attack vectors it blocks from bots.
My recommendation is:
-Consider WP with the Wordfence plugin. I consider Wordfence to be superior to the other alternatives since it has a network that constantly pushes mitigations and offer greater results.
--Configure Wordfence to block executions in the upload directory. Configure wordfence to scan themes and plugins and files outside of wordpress. Prevent admin from being registered. Activate the Extended protection.
-Install plugins only from very well known developers / sources.
-Themes, always use Paid professional themes. ElegantThemes / Divi , Yootheme, Rockettheme are among the best in term of security and performance.
-Only install plugins that you need. If you disable one, delete it.
Have a good one
Maybe Airship? https://github.com/paragonie/airship
Hasn't been updated in a while though.
@pbx
Is it airship?
It uses sodium cryptography library and provide secure automatic update.