New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@vapornode
I don't know about php7 but from what I seen in earlier versions - php is a bloated pile of "it just works" patchwork monstrosity.
Generally that's what a lot of code is when multiple people are working on it with different deadlines. However that doesn't make it inherently insecure.
All languages aren't really inherently secure
@trewq I just gave up on php, even though it is a easy language and I am most familiar with it but because of how bloated it is I say F it, I rather use lua or some other smaller language.
I can not commit on of php is secure, I don't know c and even if I did I don't have the time to review million lines of code.
But I understand what your saying, if you config php.ini right and make your php scripts as secure as possible then php can be fine.
A bit more on topic, most vps panels that use php also use bash with the php scripts, isn't that a security risk?
@Stevie Again depends on how it's implemented. Ideally the panel will use a daemon to execute instructions on the server but not everything is made that way unfortunately.
That article is largely about inconsistencies and poor execution which I do not disagree with. The few paragraphs it does have about security are all for issues that can be remedied by someone who has formal PHP experience or with patches for critical bugs.
My comment still stands. PHP might not be the best choice but it is a viable one.
Yes, php is garbage.
One can write excellent, secure apps using php, but one can also make art from discarded refuse. I have yet to meet someone who is in love with php.
That's just an efficiency choice, not necessarily a secure one, though yeah that's probably how I would proceed. Security is all about
not making any assumptions
checking all input with a default-refuse policy. And as OpenBSD's fuzzers showed, the amount of code (even in decades-old libc!) that can't deal with input it isn't expecting is huge.
checking all errors and handling them, all the way up and down
being very sensitive to translation boundaries: SQL, shell, etc. Whenever you're taking one symbol set and getting involved with quoting, translating, parsing, etc., dangers abound.
etc. Honestly, writing secure code is not fun. The 4-line "how to GET from an API and insert it into MySQL" copy/paste you do from StackExchange turns into 30 lines by the time you handle every possible error, sanitize all inputs, and check that everything is sane.
Of course, many programmers who prioritize time over safety just stop after the copy/paste...
And now I'm wondering if @Francisco is enjoying sitting back, watching everyone speculate about his handiwork. My personal speculation is that it's actually a cracked copy of the Solus V2 pre-beta, with a bunch of pony ascii art in comments.
Another homegrown panel here is @KuJoe 's Wyvern, which I believe is written in php, though I don't know if there was any framework involved. He had it security-audited by a third party.
ahhh i do not qualify as panel i guess but i have an automated CLI interface to Proxmox (w/ automatic templates and user-files as AWS has) happily used by like 20 people :')
Very limited amounts of stallion are written in C, it's mostly PHP with some wrappers I wrote where needed.
Frontend is Bootstrap v2 and a bunch of frontend stuff I wrote. I want to update the frontend in the new year, likely get a new interface built.
Francisco
I genuinely like PHP.
And yes, Wyvern is 99% PHP with some shell scripting on the server side.
I vacillated between vomiting and laughing when I read that.
CI is the best
I'd came across something that noted the # of programmers in the world roughly doubles every 5 years, meaning half of programmers don't have much experience. Some of his points are valid shortcomings, some just point out his own lack of experience.
He then suggests things like 'Django', 'Flask' and 'Pyramid' as a kind of alternative. Wordy-meh-fecker likes his abstracted-even-more-over-the-top frameworks.
Python probably is more beautiful by popular opinion, and I agree PHP probably isn't the best way to introduce someone to 'programming'. Learning about computer architecture, networking, data structures, popular algorithms... the metal, the protocols and the maths seems like the best way to a good understanding IMHO.
For anyone of adequate competence, PHP is fine. Python and many other languages too. I'm sure the conversation has been done a million times elsewhere. Uninformed bashing can be a bit of a pain in the arse, though.
Djikstra said a computer science student shouldn't be allowed to touch a machine for the first two years. I think most college-age people today would be confused by that statement, but really, computation is a science.
Then again, doing web UI design is not and we know which pays better, so...
Indeed RE: what pays.
It makes sense someone like Djikstra would say that. Back then all computer 'operators' were highly qualified, most likely mechanical engineers. The barrier to entry is a lot lower. Not necessarily a bad thing, but certainly the pioneers know about the fundamentals laid out by Turing etc.
Sigh, not the "it's not an inherently insecure language" crap again.
Yes, PHP is inherently insecure. You know why? Because the only metric that really matters in language security is how easy it makes it for a developer to fuck up. For PHP, the answer is "very easy", because it's a patchwork of poorly designed APIs full of footguns. For C, the answer is also "very easy", because it requires manual memory management that's really easy to screw up.
I'm not going to claim that every other language is somehow magically "secure". But this myth that language design is not a factor in security really needs to die. It's just a shit excuse to justify use of a broken tool, by making the heavy implication that if software is insecure, it must be that other developer at fault.
Imagine your tool of choice turns out to be a poor choice. Can't have that!
</rant>
Your outspokenness is always amusing.
Heh. Turing.