JOB: LAMP Artisan

Matthew Frederico mfrederico at gmail.com
Fri Feb 21 14:49:11 MST 2014


...


> Eventually all of these projects were replaced with less vulnerable
> languages such as Python, Java & Node.
>

Thank you for saying "less vulnerable"  I can definitely appreciate that.
 I would lean towards Node for what we are currently doing, however its a
matter of personnel scaling to complete a lot of what is simply construed
as "non-public facing database interactivity."

Node is my option for revision 2 of what we are creating, however our
scaling model is not publicly accessible, but utilized as a service by our
clients.  I could be naive, but if a fortune 500 company is 'sploiting some
gnarly mysql injection via our php application that doesn't seem too
professional..


> In the intervening years I've learned that PHP is good for a quick
> prototype to generate enough interest to get funding for a real project.
> Sorry but that's the truth as I see it from having spent the last decade
> and a half as a hired gun.
>

Perhaps.  To your point - I've been quite plugged into PHP for the past
decade as well and frankly have seen a couple open source  projects I've
written being exploited.  However I chalk it up to learning, and don't
continue to make the same exploitable mistakes.  However one can argue that
there are plenty of businesses who choose PHP and don't fall prey to
exploitation.


> Now days 20% of my work involves moving companies & people off from PHP and
> onto something more secure, more scalable etc.
>

I would be interested in what direction you are headed with the rest of the
80%?


> I would argue that a company will get more bang for it's buck by leveraging
> what they already know.  If you have webdevs with strong Javascript
> experience then node is awesome.


Completely agree here - however catching people up to speed on the suttle
differences in Node vs web/JS is still something that we aren't quite ready
to train on.  Definitely in the future however.


> If you've got serious engineers with Java
> or C++ then frameworks based on that are good, Python also seems to work
> well for these guys although I've never been able to pick up strong
> proficiency in it.  Perl may still be a good contender if you can grok the
> insane and arcane syntax it's performance will most times be far in excess
> of anything you'll achieve with PHP.  And then of course there's Ruby, but
> I won't get into that.
>

PERL - I still use it nearly every day.  Have it performing long running
processing and it never fails me.  I find that it's fairly close to PHP in
terms of performance.


> In fact the fastest webservice I ever built was built on top of Lua and it
> easily handled 300,000 queries per second in the real world.  This was
> about 5 years ago on a single box with a flat-file DB an SSD drive and a
> crapton of ram.  (crapton is a new unit of measurement, not a new particle)
>

Sheesh, that sounds extremely fancy!  Isn't world of warcraft scripted via
LUA?


> Every project is a matter of picking the right tool for the right job.
>

Amen brother!


> Basing everything you do off from a combo of Linux Apache, MySQL and PHP is
> going to give you vulnerabilities you can't even imagine.  And of course
> those vulnerabilities will scale as you try to scale.
>

Would you mind expounding on what vulnerabilities this stack would incur?


> I believe that the combination of MySQL and PHP should be considered
> anathema to good design practice for any company developing a modern
> infrastructure.  If you must go with PHP don't use MySQL as a backend.  If
> you must use MySQL don't use PHP as a front end.
>

Maybe I'm not understanding past the rhetoric - Would you care to explain
why this is?


> So I stand by my earlier statement.  I've learned that MySQL/PHP is good
> for a quick prototype to generate enough interest to get funding for a real
> project.  Once you have that funding ,an immediate move to something better
> is in order.
>

Funny, that's what I thought about Ruby on Rails...


> I do still like the language itself.  It's the implementation that sucks.
>

I like the language too.

So to summarize the message of what you are saying is:

You like PHP - a cautionary tale if taking care in your choice of RDBM. < OK
Don't write crappy 'sploitable code in PHP or your crappy 'sploits will
scale. < TRUE

However, would it be fair to suppose I can s/php/java/ and
s/mysql/postgres/  and the message is the same?

Thank you for your time in your response,

-- Matt


More information about the PLUG mailing list