The recent post about what people are using for webmail got me thinking about a perhaps irrational policy I have with my own self-hosted software: I don’t install anything written in PHP, because I have this vague notion that PHP software is often insecure. I think I probably got this idea because years ago I saw all the vulnerabilities in PHP webmail clients and PHP software like Wordpress and decided that it was the language’s fault—or at least a contributing factor.
Maybe this isn’t fair. Maybe PHP is just more accessible to new devs and so they’re more likely to gravitate to it and make security mistakes. Maybe my perception isn’t even accurate, and webmail / blog software written in other languages is just as bad—but PHP gets all the the negative attention because it’s so prevalent for web apps. Maybe my policy was a good idea, years ago, but now it’s just out of date.
To be clear, I’m not trying to stoke the flames of a language holy war here or anything. I’m honestly asking: Is it maybe time to revisit my anti-PHP policy? I’m looking longingly at some federated software like Pixelfed and wondering if maybe I’m just being a little too close-minded.
So I’m interested in your own experiences and polices here. Where do you draw the security line for what you will or won’t host, and what made you make that choice?
Language where use of uninitialized variable is warning ( not a core dump) should not be used. IT mostly in the past for modern PHP, but bad programmers habits remains. I have seen so horribly written PHP project, so i prefer to stay away.
Thanks for weighing in. That’s historically been my take as well, although as of this thread I’m starting to wonder if modern PHP can be better and/or particular projects can be.
My opinion that language have changed, but people who use it are mostly same. Anyone who starting working in WebDev now will not use PHP, it is no longer a good tool. Like perl, it is still around, lots of software depends on it. But hardly any new stuff will be written on it. And it is programmers who define quality of the code, if you learn to code on language which promote bad practice it is really hard to change.
Language itself is not the problem. The old notion of “PHP is insecure” stemmed from languages elitists trying to fan the language war by pointing at CVE repositories and claiming the large number of issues stemming from 3rd party WordPress plug-ins and alike, ignoring the fact that there were way more projects than other languages because it is the most commonly used language on the web, as well as having way longer lineage therefor more time to accumulate security issues; whereas their new and shiney with lesser projects are allegedly more secure because there’s lesser projects, lesser eyeballs, lesser histories, etc.
The core language itself is fine; and just as with any other language out there, it is prudent to keep up with updates. The big named projects are fine; and just with any other projects out there, it is prudent to keep up with updates. The extensions/3rd party modules are … well you get the idea.
Just thought of this comparison:
How would you think if someone tells you “Microsoft (PHP) is insecure because there’s all these 3rd apps (plugins) for Windows (WordPress) that has security issues. Don’t believe me? Just look at all those problems from Windows ME (PHP4/5) days!”
Bad applications full of security flaws can be written in basically every language.
The thing with PHP is there’s still extremely old apps that just haven’t been updated to modern standards, because PHP itself is much older and thus predates more modern JavaScript/Ruby/Python apps. Wordpress in particular hasn’t changed all that much, and insists on using a wildly outdated database layer on the name of remaining compatible with old plugins, because those plugins is what people turn to Wordpress for.
As with any app you don’t completely trust, the solution is to restrict what they can do as much as possible. Run with minimum privileges, sandbox it in a container, whatever is needed.
That makes sense. Maybe then the trick is to look at whether any particular app (PHP or otherwise) is written with modern security practices. How do you judge a project’s security practices though?
And then, yeah, maybe also lock it down in a container so the blast radius of any actual exploit is pretty minimal.
This is the same as assuming anything written in Rust is secure. (i.e. it’s very wrong)
I wrote my personal website in PHP, and I’m pretty happy with the security I’ve got going on. I’m not an expert, but I paid close attention to best practices to avoid pitfalls like SQL injection. My instinct is that it’s certainly easy to code insecure applications in PHP (and probably many other languages as well), but the language does provide means by which to code safely.
Awesome, good to hear from an actual PHP dev. I assume then you’re also fine self-hosting third-party PHP applications? How do you make the call on whether it’s okay to host from a security perspective? The same as with software written in any other language?
It’s a good idea to invest time into hosting all your stuff in individual containers. You get lots of benefits that way, on top of isolation.
If I’m being honest, I’ve never even looked to see what language most of the stuff I run is written in. Out of 16 apps that I’m running, only 3 are accessible from outside my LAN. Those three are high-profile open source projects that are actively maintained. That’s enough for me to be comfortable security-wise in my environment.