The recent post about what people are using for webmail got me thinking about a perhaps irrational policy I have with my own self-hosted software: I don’t install anything written in PHP, because I have this vague notion that PHP software is often insecure. I think I probably got this idea because years ago I saw all the vulnerabilities in PHP webmail clients and PHP software like Wordpress and decided that it was the language’s fault—or at least a contributing factor.
Maybe this isn’t fair. Maybe PHP is just more accessible to new devs and so they’re more likely to gravitate to it and make security mistakes. Maybe my perception isn’t even accurate, and webmail / blog software written in other languages is just as bad—but PHP gets all the the negative attention because it’s so prevalent for web apps. Maybe my policy was a good idea, years ago, but now it’s just out of date.
To be clear, I’m not trying to stoke the flames of a language holy war here or anything. I’m honestly asking: Is it maybe time to revisit my anti-PHP policy? I’m looking longingly at some federated software like Pixelfed and wondering if maybe I’m just being a little too close-minded.
So I’m interested in your own experiences and polices here. Where do you draw the security line for what you will or won’t host, and what made you make that choice?
I’m a full time senior PHP/JS developer.
PHP has a bad rap because of a few factors.
1, as you said, it’s accessible. It’s a very easy language to learn with a simple syntax and a simple tool chain. So often, it’s a dev’s first language. PHP holds your hand a little bit, but for the most part, security is on the developer, and when a dev doesn’t know any better, bad practices like interpolating values directly into your sql query seem like an easy way to get the job done, but at the hidden cost of opening up SQL injection vulnerabilities. But I’ve seen the same thing happen in Python code, so that’s not really a PHP problem so much as an education problem.
2, earlier versions of PHP were, in a word, shit. They were rife with inconsistencies, poor structure, half-baked features, and it all ran like dogshit. Even today, there’s still some contention in the PHP world about whether to fix the inconsistencies or not, because so much legacy code would fall apart if they did. PHP <= 4 was a goddamned dumpster fire. 5 was MARGINALLY better and brought in proper OOP. 6 literally didn’t exist for various reasons. 7 was actually getting pretty good, now with optional static typing. 8 is BANGIN’. It’s fast, easy to work with, has a great feature set, and a huge community.
3, it’s a big player. When you’re a huge player, you’re also a huge target. Wordpress is one of the most prolific web apps in existence, and it’s PHP based. Being huge, many more people are writing (shit) code for it, and many more (shit) people are trying to break it. Of course software that’s run on more servers is gonna be attacked more. It’s just numbers.
TBH, today, working in both languages extensively, I’d gladly take a PHP based web app over a NodeJS based web app. Don’t get me wrong, I love node for what it is and the paycheck I get, but JS is a goddamned dumpster fire of a half-baked language.
So tldr, don’t fear the PHP. As long as your software was written by somebody who knows their aaS from a hole in the ground, you’ll be fine.
Lol, I really appreciate your thoughts! These are exactly the sort of insights I came here for. I hope this is useful to others too who may be wondering about the same thing.
The fact that people still stuck talking about baggages of PHP 4/5, which was released in 2000, as if they’re still valid today is hilarious to me.