New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Secure PHP blog system
Hi LET.
I had read something about a little PHP based blog system with a strong focus on security (automatic & signed upgrades, well thought code and so on) some time ago on LET but can't find the post or link to the project's page anymore.
Do you guys know what this project can be? If not, any security focused php blog system (with comments) to recommend? Thanks!
Thanks!
Comments
"PHP" and "secure" don't belong in the same sentence.
Use Hexo to generate static blog, and outsource comments to Disqus.
Not sure if it was Grav but its something you could have a look: getgrav.org
I was sure this kind of comment would come. Unfortunately I'm looking for a specific software somebody mentioned here, not for an advice for the "most secure" blogging system (and I dislike Disqus and didn't find any way to add comments on a static blog that I find decent enough).
Thanks @atomi. It wasn't grav but something totally oriented toward blogging, with a strong focus on security (even though it's in PHP). That being said, grav is great
If search engine results are to be believed:
>
@yoursunny is right wrt PHP. The mere fact that some developer(s) decided to use PHP either shows that they are clueless wrt safety and security or that they are, pardon me, plain stupid or careless (or both). And yes, this holds true even for "not top security but just a reasonable level of security".
Besides very few languages at the more exotic end of the spectrum (like Racket or shine) which usually are rather new and/or little tested, scripting languages are generally a bad choice for projects where safety and security are one of the goals. That is not a "religious" statement but based on technical facts.
And within the group of scripting languages PHP is among the worst of the worst wrt safety security.
Hint: if one needs both safety and security and flexibility (dynamic code) there is but one way. One creates the main body using a (preferably statically verifiable) compiled and strongly static typed language and then carefully integrates a - well controlled - sandboxed interpreter interface.
Any programming language and servers can be insecure if the developer / admin has no clue about the security aspects, example: majority of Wordpress plugin!
Agreed @WebProject
Low barrier of entry to PHP is the reason tons of people jump into PHP and that results in tons of poor code produced and used (and not used properly) and then people say PHP is insecure.
Many other languages/platforms benefit from security by obscurity (not many people use them so not many people motivated to find the holes in it).
You do have to keep your parts updated regardless of what you use even if you are using static sites.
I use Grav and it is good, have no database. Getting used to twig over Smarty.
tell me one language whose systems were never compromised?
always its the dev to be blamed, not language.
Seriously.
I coded the last system in Klingon. It hasn't been compromised so far.
That's BS! You even started from the wrong point because it isn't about zero bugs or vulns vs many. The relevant question is about the likelihood of bugs.
Plus: again BS! It's not "always its the dev to be blamed, not language" just like it's not always the carpenter; often it's the wrong tools.
And no, that's not opinion but well studied fact with plenty evidence behind it.
Just one example to demonstrate the point: a language can make it easy to create a buffer overflow -or- it can make it hard. In C for example it's easy and I came across such a bug just yesterday when looking at some code from a quite well respected developer (and trainer). OTOH some languages have a 'for each' or "for in" construct that drastically minimzes (virtually excludes) whole classes of buffer overflow errors.
You trust your web site with it.
PHP has foreach :-)
Are scripting languages inherently less secure than compiled? Maybe in theory but that’s a long way from “you can make an HTTP request which breaks into my system”.
Devs can write secure PHP. Its poor reputation comes from its ease of use (tons of junior devs) and that it operates in the biggest attack surface on the planet.
Pretty much, yes.
No. If you can't define your data properly you can't have safety & security. Plus there is no real verification possible.
facebook developed 'Hack' plus a completely new VM and then ported a gazillion lines of PHP code. And security was one of the major drivers.
Yes and no. Yes, its bad reputation comes in part from its users but No, one can not really write secure PHP. "secure" means FAR more and is far more complex than what most developers think.
Plus: looking closer you'll find that not the hobby users are the problem. The problem actually is hobby users playing with serious projects rather than mom and dads web site.
Look, what does "some code is secure" mean when you can not even verify that assertion? Nothing. Something in between a gut feeling and (usually very limited) testing.
And indeed - and by no means surprising - PHP code, incl code from very experienced "developers" is among the most vulnerable.
PHP is so insecure that Slack, Facebook and other very very large organisations still use it!
That example is BS, we are comparing carpenter A to carpenter B, not carpenter A and tools
we are not talking about bugs here, we are talking about security.
btw, PHp is most dominant language for websites and if it was such a weak one...we would have listened 100(0000)s hacked websites stories everyday.
with due respect, how many ppl are aware of your system and so far no vuln/hacks found in klingon?
Repeating your BS just in another form doesn't make it true.
Oops, I forgot, security comes from a magic button ...
Bad premise plus bad conclusion plus bad interpretation.
Whether websites are secure or not is not measured (besides by idiots) by the number of "websites stories". Besides if you knew anything about security you would have grasped that many, probably even most intrusions do not even get detected, in part because PHP "developers" think they'll get informed by "websites stories" in case they've been hacked (hahaha).
Uhm, sorry to disrupt your nice little dream world but facebook has developed their own - and safer - "PHP" language plus their own VM becaue ... uhm ... PHP was/is so sh_tty and bad for security.
Here's some FACTS about actually used languages at the biggest sites - as opposed to your BS:
Only 2 (Yahoo and Wikipedia) use PHP in the back end.
(Edit: I can't promise to stay this friendly as I'm allergic to ... oh well, just look at my sig)
Yes, but visitors must do push-ups before they can access
phpinfo();, so that attacks are more difficult.https://yoursunny.com/phpinfo.php
My system is running on the USS Enterprise, on exhibit in the Smithsonian Air & Space Museum in Washington DC. Millions of people see it in person every year, plus millions more see it on TV.
Blabla. Follow your own wisdom. You know that PHP is sh_tty, so don't use it.
You would consider the vast majority of programming languages to be insecure. C, C++, Go, Java, perl, python, PHP - you would say that one cannot really write secure code in any of them, correct?
Even if we're only talking about scripting (interpreted) languages, then you would label Perl, Python, PHP, and Ruby as insecure.
Perhaps this is true - but again I think there's a practical difference between something that can be mathematically proven to be secure and something that is secure in practice. PHP-based web sites are not falling over like dominos at the wave of a hand. Also, I don't think that competently-written PHP is less secure than Python or Perl.
Perhaps in the real world, there is more poorly-written PHP out there - but then we're back to developers, not the language.
No, not correct. One can write secure code in C and Java (and to a lesser degree in C++). With those languages the problem is that it's hard, really hard to write correct, let alone secure code. But it can be done and it can be statically verified.
Yes, to varying degrees, but yes.
There is no "secure in practice" without mathematical proof. There is, at best, "not obviously insecure"
Look, vulnerabilities aren't (usually) created by programmers being bloody stupid; they are created by details, things like an index being one off or like a very rare and/or unforeseen case or combination, etc.
So ""secure in practice" basically boils down to "in all cases except rare ones we didn't foresee, cared about, didn't see, etc"
>
Hmmm ... I guess PHP and Perl are about at the same (bad, bad) level albeit for different reasons. Plus: It's not just about your competence, it's also about the competence of the PHP team and all the people who wrote libraries you use knowingly or not.
Also keep in mind why and what for languages were created. Perl (if one is pervert) and PHP may be and probably are OK for quickly hacking one off scripts or very simple web sites. But starting from a certain (actually not that high) level the complexity of all parts reaches a level that humans simply can't wrap their head around, but static analyzers can do only so much. Really and properly stat. analyzing something that will be interpreted is not something that we can reasonably do and do properly and well.
I actually work with static analyzers and modelers and other formal tools pretty much on a daily basis and more often than not I actually need to use multiple tools because they have a rather tight focus.
Finally keep in mind that most developers live by "good enough. Works OK" while hackers look specifically for what's in between "good enough" and "100% tight".
For a mom and dad web site or the local pubs website - for which PHP was created - "good enough" and reasonably professional development in PHP or Perl are OK.
But certainly not for a site holding for example the private data of thousands or even millions of people - which many sites nowadays do.
@jsg Get proper knowledge before saying further inaccurate statements. You don't even code in PHP and if you do you probably don't have enough experience. Is obvious nowadays that if a project is serious and PHP was the chosen language for the back-end, any competent developer would use a solid framework such as Laravel and follow best practices (for current year).
@yoursunny nice trolling.
Please provide source code.
Thanks for making me laugh! I particularly like your sumptuous use of the attribute "solid". But "best practices (for current year)" is also very funny.
@jsg
I code with PHP, and I'd consider myself a newbie. So according to you I'd be part of the problem. I'm not here to criticize any side, I just wanna learn.
What is the issue with PHP? Do you consider that adding strict type declarations in PHP8 a move in the right direction?
No, not really. What I think is that newbies doing stuff above their level is a problem, particularly with PHP.
Yes and no, mostly yes. The "no" part is due to PHP being rotten beyond repair IMO (but so are some other languages). You might also try 'Hack' from facebook (along with their VM) which basically is "PHP without the worst problems" and with gradual typing (meaning, you can but are not forced to properly type variables).
Being there also have a look at their "infer" tool which is a (kind of primitive and minimal but) very easy to use analyzer that iirc also supports Hack (and maybe even PHP, I don't remember).
You can't have security in PHP because by simple definition, it is being written by people who doesn't care about any computer science topic at all.
Why bother with pointers, data buffers, memory safety, synchronization, or give 0 f** about expensive syscalls.
You just write a script, cross your fingers and hope that the 7 millions lines of Zend engine doesn't do anything stupid.
A programmer of Go on the other hand, which cares about security, will have no problems in reading the codepaths of the elf objdump, or put a b* in gdb and bt the stack. It will profile the most consuming memory and cpu functions with pprof. It will detect racy code with go test -race.
You can't have security nor performance in PHP because it is written by users with other priorities.
@Jona4s don't kid yourself you clearly don't code on PHP. You are comparing Go with PHP, that's hilarious.
If you knew what you were talking about you would compare Go with something like Python or even with Node( a Stretch) not with PHP.
Now following your logic... why bother with Go, fuck that, go with C++. Nananana you know what... C++ is for pussies lets go with Assembly because we care about performance. (See how stupid that sound).
Show me the code and prove it's better.
You can have bad code with any language and any framework. The language itself doesn't mean is better or more optimized. Lot's of you people making conclusion without "possibly" the experience.
@Jona4s is quite right. Simple as that. And, well noted, I'm not a go fan but as he correctly stated a go developer at least has a chance.
Your view against Google's experience and gazillion servers and creating their own language? That's a fight you are bound to lose.