JOB: LAMP Artisan

keith smith klsmith2020 at yahoo.com
Mon Feb 24 07:56:10 MST 2014


Hi Dale,

You wrote "Every project is a matter of picking the right tool for the right job.
Basing everything you do off from a combo of Linux Apache, MySQL and PHP is
going to give you vulnerabilities you can't even imagine.  And of course
those vulnerabilities will scale as you try to scale.".

Can you be more specific about these vunerabilities?

I've been doing LAMP professionally for 7 years with only one exploit.  That exploit was due to a poorly designed app that I had inherited AND it was a great learning experience.

I would think creating vulnerable code would be due to poorly designed applications and bad coding techniques. 

If you are using old school PHP programming techniques your code is probably vulnerable.  

I believe the following approach will keep you from being exploited.  

1) do not allow direct access to your code.  Create one entry point and all other files must reject direct access.  This way you control what data gets in and how it is processed.  This takes a different programming approach and mindset than just scripting.  i would write for days on this subject alone.

2) sanitize any outside data that is going to be processed within your application.

If you do these who things your LAMP app will more than likely be very secure.

Keith





On Friday, February 21, 2014 1:58 PM, S. Dale Morrey <sdalemorrey at gmail.com> wrote:
 
I used to be a master PHP programmer.  I had hundreds of projects under my
belt.
They were all designed with the very best practices of the day.

Then one project after another fell due to vulnerabilities.  Sometimes code
issues, sometimes wierd SQL attacks that had been previously thought to be
"unpossible".
Eventually all of these projects were replaced with less vulnerable
languages such as Python, Java & Node.

In the intervening years I've learned that PHP is good for a quick
prototype to generate enough interest to get funding for a real project.
Sorry but that's the truth as I see it from having spent the last decade
and a half as a hired gun.

Now days 20% of my work involves moving companies & people off from PHP and
onto something more secure, more scalable etc.

I would argue that a company will get more bang for it's buck by leveraging
what they already know.  If you have webdevs with strong Javascript
experience then node is awesome.  If you've got serious engineers with Java
or C++ then frameworks based on that are good, Python also seems to work
well for these guys although I've never been able to pick up strong
proficiency in it.  Perl may still be a good contender if you can grok the
insane and arcane syntax it's performance will most times be far in excess
of anything you'll achieve with PHP.  And then of course there's Ruby, but
I won't get into that.

In fact the fastest webservice I ever built was built on top of Lua and it
easily handled 300,000 queries per second in the real world.  This was
about 5 years ago on a single box with a flat-file DB an SSD drive and a
crapton of ram.  (crapton is a new unit of measurement, not a new particle)

Every project is a matter of picking the right tool for the right job.
Basing everything you do off from a combo of Linux Apache, MySQL and PHP is
going to give you vulnerabilities you can't even imagine.  And of course
those vulnerabilities will scale as you try to scale.

I believe that the combination of MySQL and PHP should be considered
anathema to good design practice for any company developing a modern
infrastructure.  If you must go with PHP don't use MySQL as a backend.  If
you must use MySQL don't use PHP as a front end.

So I stand by my earlier statement.  I've learned that MySQL/PHP is good
for a quick prototype to generate enough interest to get funding for a real
project.  Once you have that funding ,an immediate move to something better
is in order.

I do still like the language itself.  It's the implementation that sucks.


On Fri, Feb 21, 2014 at 1:20 PM, Matthew Frederico <mfrederico at gmail.com>wrote:

> On Fri, Feb 21, 2014 at 1:03 PM, Tod Hansmann <plug.org at todandlorna.com
> >wrote:
>
> > Do you have to LOVE PHP?  Can you just have an understanding of its
> > usefulness as a tool despite the terrible language it is implemented as,
> > thus enjoying building things with it as opposed to enjoying it in and of
> > itself?  =cP
> >
> > I know, I'm a bad man.
> >
>
> Dear Tod,
>
> Not *loving* php doesn't make you a bad man .. well, not too much :-)
>
> Yes - it's not a perfect programming language like node, but compared to
> GWBasic or Java - (</me ducks>) its shortcomings are outweighed by its low
> footprint, ubiquitous install base and easy to pick up grammaticals.  Thus,
> like the hammer of Thor - In the right hands "the php" can be a powerful
> force to do good.  Just like every other language with a cult-like fan
> base.
>
> So perhaps you are right - Loving what it does, not necessarily what it is.
>  (Love the sinner, not the sin?)
>
> Best Regards,
>
> - Matt
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/


More information about the PLUG mailing list