JOB: LAMP Artisan

Dan Egli ddavidegli at gmail.com
Mon Feb 24 02:56:22 MST 2014


On February 21, 2014, Matthew Frederico wrote:

>> Basing everything you do off from a combo of Linux Apache, MySQL and PHP
is

>> going to give you vulnerabilities you can't even imagine.. And of course

>> those vulnerabilities scale as you try to scale.



> Would you mind expounding on what vulnerabilities this stack would incur?



Something else I'd be curious to see. Although I don't personally use MySQL
much at all any more I'd be curious to hear more about the problems you've
faced using this combination. As I said just a moment ago in another
message, I generally use a LAPP architecture vs. LAMP (the P being
PostgreSQL vs. MySQL). I'll grant most of my projects are small time and
aren't used world wide (or at least, not by a large percentage of the web,
although the users may be all over the world), but I haven't had any
programs having vulnerabilities exploited. Perhaps it's careful coding and
SQL statement phrasing. Perhaps it's something else, but I've had nary a
complaint from anyone that I've ever done PHP work for, nor did my own PHP
code give me any issues.


--- Dan


On Sat, Feb 22, 2014 at 2:28 AM, S. Dale Morrey <sdalemorrey at gmail.com>wrote:

> I used to be a master PHP programmer.  I had hundreds of projects under my
> belt.
> They were all designed with the very best practices of the day.
>
> Then one project after another fell due to vulnerabilities.  Sometimes code
> issues, sometimes wierd SQL attacks that had been previously thought to be
> "unpossible".
> Eventually all of these projects were replaced with less vulnerable
> languages such as Python, Java & Node.
>
> In the intervening years I've learned that PHP is good for a quick
> prototype to generate enough interest to get funding for a real project.
> Sorry but that's the truth as I see it from having spent the last decade
> and a half as a hired gun.
>
> Now days 20% of my work involves moving companies & people off from PHP and
> onto something more secure, more scalable etc.
>
> I would argue that a company will get more bang for it's buck by leveraging
> what they already know.  If you have webdevs with strong Javascript
> experience then node is awesome.  If you've got serious engineers with Java
> or C++ then frameworks based on that are good, Python also seems to work
> well for these guys although I've never been able to pick up strong
> proficiency in it.  Perl may still be a good contender if you can grok the
> insane and arcane syntax it's performance will most times be far in excess
> of anything you'll achieve with PHP.  And then of course there's Ruby, but
> I won't get into that.
>
> In fact the fastest webservice I ever built was built on top of Lua and it
> easily handled 300,000 queries per second in the real world.  This was
> about 5 years ago on a single box with a flat-file DB an SSD drive and a
> crapton of ram.  (crapton is a new unit of measurement, not a new particle)
>
> Every project is a matter of picking the right tool for the right job.
> Basing everything you do off from a combo of Linux Apache, MySQL and PHP is
> going to give you vulnerabilities you can't even imagine.  And of course
> those vulnerabilities will scale as you try to scale.
>
> I believe that the combination of MySQL and PHP should be considered
> anathema to good design practice for any company developing a modern
> infrastructure.  If you must go with PHP don't use MySQL as a backend.  If
> you must use MySQL don't use PHP as a front end.
>
> So I stand by my earlier statement.  I've learned that MySQL/PHP is good
> for a quick prototype to generate enough interest to get funding for a real
> project.  Once you have that funding ,an immediate move to something better
> is in order.
>
> I do still like the language itself.  It's the implementation that sucks.
>
>
> On Fri, Feb 21, 2014 at 1:20 PM, Matthew Frederico <mfrederico at gmail.com
> >wrote:
>
> > On Fri, Feb 21, 2014 at 1:03 PM, Tod Hansmann <plug.org at todandlorna.com
> > >wrote:
> >
> > > Do you have to LOVE PHP?  Can you just have an understanding of its
> > > usefulness as a tool despite the terrible language it is implemented
> as,
> > > thus enjoying building things with it as opposed to enjoying it in and
> of
> > > itself?  =cP
> > >
> > > I know, I'm a bad man.
> > >
> >
> > Dear Tod,
> >
> > Not *loving* php doesn't make you a bad man .. well, not too much :-)
> >
> > Yes - it's not a perfect programming language like node, but compared to
> > GWBasic or Java - (</me ducks>) its shortcomings are outweighed by its
> low
> > footprint, ubiquitous install base and easy to pick up grammaticals.
>  Thus,
> > like the hammer of Thor - In the right hands "the php" can be a powerful
> > force to do good.  Just like every other language with a cult-like fan
> > base.
> >
> > So perhaps you are right - Loving what it does, not necessarily what it
> is.
> >  (Love the sinner, not the sin?)
> >
> > Best Regards,
> >
> > - Matt
> >
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> >
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list