Hi Dale, You wrote "Every project is a matter of picking the right tool for the right job. Basing everything you do off from a combo of Linux Apache, MySQL and PHP is going to give you vulnerabilities you can't even imagine. And of course those vulnerabilities will scale as you try to scale.".
Can you be more specific about these vunerabilities? I've been doing LAMP professionally for 7 years with only one exploit. That exploit was due to a poorly designed app that I had inherited AND it was a great learning experience. I would think creating vulnerable code would be due to poorly designed applications and bad coding techniques. If you are using old school PHP programming techniques your code is probably vulnerable. I believe the following approach will keep you from being exploited. 1) do not allow direct access to your code. Create one entry point and all other files must reject direct access. This way you control what data gets in and how it is processed. This takes a different programming approach and mindset than just scripting. i would write for days on this subject alone. 2) sanitize any outside data that is going to be processed within your application. If you do these who things your LAMP app will more than likely be very secure. Keith On Friday, February 21, 2014 1:58 PM, S. Dale Morrey <sdalemor...@gmail.com> wrote: I used to be a master PHP programmer. I had hundreds of projects under my belt. They were all designed with the very best practices of the day. Then one project after another fell due to vulnerabilities. Sometimes code issues, sometimes wierd SQL attacks that had been previously thought to be "unpossible". Eventually all of these projects were replaced with less vulnerable languages such as Python, Java & Node. In the intervening years I've learned that PHP is good for a quick prototype to generate enough interest to get funding for a real project. Sorry but that's the truth as I see it from having spent the last decade and a half as a hired gun. Now days 20% of my work involves moving companies & people off from PHP and onto something more secure, more scalable etc. I would argue that a company will get more bang for it's buck by leveraging what they already know. If you have webdevs with strong Javascript experience then node is awesome. If you've got serious engineers with Java or C++ then frameworks based on that are good, Python also seems to work well for these guys although I've never been able to pick up strong proficiency in it. Perl may still be a good contender if you can grok the insane and arcane syntax it's performance will most times be far in excess of anything you'll achieve with PHP. And then of course there's Ruby, but I won't get into that. In fact the fastest webservice I ever built was built on top of Lua and it easily handled 300,000 queries per second in the real world. This was about 5 years ago on a single box with a flat-file DB an SSD drive and a crapton of ram. (crapton is a new unit of measurement, not a new particle) Every project is a matter of picking the right tool for the right job. Basing everything you do off from a combo of Linux Apache, MySQL and PHP is going to give you vulnerabilities you can't even imagine. And of course those vulnerabilities will scale as you try to scale. I believe that the combination of MySQL and PHP should be considered anathema to good design practice for any company developing a modern infrastructure. If you must go with PHP don't use MySQL as a backend. If you must use MySQL don't use PHP as a front end. So I stand by my earlier statement. I've learned that MySQL/PHP is good for a quick prototype to generate enough interest to get funding for a real project. Once you have that funding ,an immediate move to something better is in order. I do still like the language itself. It's the implementation that sucks. On Fri, Feb 21, 2014 at 1:20 PM, Matthew Frederico <mfreder...@gmail.com>wrote: > On Fri, Feb 21, 2014 at 1:03 PM, Tod Hansmann <plug....@todandlorna.com > >wrote: > > > Do you have to LOVE PHP? Can you just have an understanding of its > > usefulness as a tool despite the terrible language it is implemented as, > > thus enjoying building things with it as opposed to enjoying it in and of > > itself? =cP > > > > I know, I'm a bad man. > > > > Dear Tod, > > Not *loving* php doesn't make you a bad man .. well, not too much :-) > > Yes - it's not a perfect programming language like node, but compared to > GWBasic or Java - (</me ducks>) its shortcomings are outweighed by its low > footprint, ubiquitous install base and easy to pick up grammaticals. Thus, > like the hammer of Thor - In the right hands "the php" can be a powerful > force to do good. Just like every other language with a cult-like fan > base. > > So perhaps you are right - Loving what it does, not necessarily what it is. > (Love the sinner, not the sin?) > > Best Regards, > > - Matt > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
