In Defence of PHP - Stephen Rees-Carter - NDC Security 2023
HTML-код
- Опубликовано: 19 апр 2023
- PHP is, in my humble opinion, unfairly treated within the security community. Sure, there are a lot of examples of vulnerable PHP code floating around, and outdated WordPress is definitely an easy target, but modern PHP apps are secure and the PHP community does care a lot about security. So I want to take you on a journey from the early days of PHP through to now, looking at different frameworks that have come and gone and where the current state of security is in PHP. I may even defend modern WordPress… maybe…
Check out our new channel:
NDC Clips:
@ndcclips
Check out more of our featured speakers and talks at
ndcconferences.com/
ndc-security.com/ 
Наука
![Rich Dunk (Ft. DaBaby) - BIG DAWG [Official Video]](http://i.ytimg.com/vi/Pz2ewsSKAEM/mqdefault.jpg)
Still love PHP after 15 years of using it here. I missed what came before PHP 5.2 though.. thanks for the backstory!
I've used PHP for ~10 years and I've been on the receiving end of PHP hate. It seems to always come from people who have spent their entire careers working in 1 language. I've started to use PHP a little less nowadays though. I find I prefer Go for MPAs but I don't think I'll ever leave PHP when it comes to API development. PHP + Laravel's request validator is the GOAT. I've yet to find something even 1/2 as good for other languages.
Nice talk! As a 7yrs front-end guy, I got exhausted with all the BS from the FE ecosystem, much of it is nice but the thought framework was too young (react,vue,svelte) and they're all moving into the SSR & SSG stuff right now. I learned Php with livewire and filament a while ago, haven't been more satisifed with my applications until I tried this.
Great talk. PHP & Laravel/Symfony are amazing today ❤
Great, much-needed lecture.
Shame that 90% of people to ever see it will be current or former PHP devs :(
Spread the word, people!
I have been in a long long journey since that youngful days of amusement with PhpBB, PhpNuke, various CMS and the first generation of PHP Frameworks... I want to get back to home, at least for a bit to see what is happening right now :P
Great talk. Funny seeing some of the comments here, so many people just throwing shade without even having watched even the first few minutes. Really proves your point!
Good points. I think you should have talked about modern features like rich support for classes and types, which set the language apart from other popular dynamic/scripting languages.
Agreed that they are important features, but the talk was aimed at security folks, rather than devs. So I focused on security features. 🙂
thank you very much
I am happy to see CakePHP examples. That is my go to framework.
27:53 injecting variables into SQL is not a security vulnerability if it is properly escaped, which it appears to be. So what is the vulnerability?
That quote "you can shoot yourself in the foot with any language" is just so true yet people don't seem to understand it, and i've meet a lot of people that did it especially at my last job where they used JAVA yet they got hacked all summer
One could argue people in JAVA world don't understand what language progression is all about is because they stoped upgrading after JAVA 8 because of the lack of speed gains and features.
People in JS world are all about the trendy new stuff and how easy i can put a lambda function on AWS, but those are the people that aren't paid to understand that it will kill your client wallet (and this only works because client are willing to pay even if they had alternatives)
people who uses aws lambda don't have skills to setup a secure server on aws ec2 and setup their application on a server instance.
I don't get. I am currently learning php on own and when i tell my friends i am learning they say don't learn it and when i ask them why ? No response.
Ignore that, learn it and maybe learn Laravel if you like it you can search for job normally.
@@eboubaker3722 larvel sucks. When i tried installing with composer it gives me error message and docker it for every to install sail. I prefer pure php
I'm currently learning PHP because I need to maintain a legacy app, I don't see any other motivation for it. PHP is only for the web, even if the current iteration of PHP language is great, I'd rather choose a language that is widely used in many other fields, I'd apply the same reasoning for Ruby/Rails. These days I'd choose Python, JS or Rust.
@@eafadeev yes you are right using php for web makes sense as it is made for it but if you want more from the language you should use other languages.
@@eafadeevIMO for web PHP has the best frameworks atm. You can learn a lot about proper structuring and balance between complexity and flexibility from Laravel and similar modern frameworks. Which will be useful in any app.
Also, language is just a tool. With a bit of experience you can switch between languages relatively easy. Core concepts are more or less the same all across the board.
And PHP has it's own "spill into other side" versions. For instance, with Livewire you can write javascript-free-ish code. You can also wrap your PHP app and release it as desktop app. Pretty much same way as for JS apps.
Curious that there wasn't a single mention to Magento, which is a beast of a framework with a very loaded and interesting history
mostly because it's used for online shops and people hate it because of the caching system aaaaand you can argue it's more of an enterprise thing
Magento is Acquired by Adobe in May 2018. It's rebranded to Adobe Commerce as of April 2021
i've watched him on laracasts! he's focused on php security there.
Appreciation the talk, well-done.
PHP was a the easiest stepping stone to leap toward for those outside the funnel of higher-education, especially with WordPress there to make it possible to do "great" things quickly. Other options just couldn't compete as far as I could tell (and the numbers speak). It was the tool that fit the need, more or less.
For my part, having to use PHP during those messy years was incredibly difficult and long left too many hours of frustration when trying to fix or extend something. Is PHP still like this? Well, it sounds like much progress has been made but I still feel trepidation.
What does PHP do better than other languages and frameworks? PHP will have a legacy for a longtime, regardless, and I honestly can't say what would be best for starting a project (other than "use what you already know"). Interesting talk and glad to hear PHP has grown up a bunch.
does PHP have an answer to tRPC?
Laravel livewire/inertia
Php is great until you need a $variable. Jokes aside i work with php, svelte and tailwindcss professionaly now and I really like it the only Problem i See is that it has lost in terms of frontend development. It's just easier to build a vue or svelte app and have interactivity out of the Box with little to no effort. I would like a svelte Version with php as a backend and data Provider so write svelte get data from php would be ideal. You would have the best of both Worlds power full Client side js and great backend capabilities.
You can use Vue as frontend and PHP as backend by using Laravel
Livewire is pretty good.
From what I heard, PHP = Freelance and I'm just not emotionally built for that kind of rollercoaster ride
So PHP is not dead because 78% of sites use it, most of them via WordPress.
And PHP's bad reputation is because of WordPress and its users.
PHP + Symfony = Prograsm!
PHP + Symfony + Roadrunner -> Paradise
PHPgasm!!!
As a PHP developer for 10+ years I had to do some research why php is disliked. 🤪
The fractal-of-bad-design post is indeed outdated by now, but I find it interesting that the speaker says it was "half wrong" even at the time it was written. I was a PHP dev back in the day, and I found that post to be spot on. It echoed many of my complaints about the language and ecosystem. I'd be interested to hear what this person thinks was wrong even back in 2012.
The meta problem with defending PHP as a language/syntax is that it suggests that there is no such thing as code quality. Kudos to all the PHP devs who have learned to dodge its pitfalls, but it's hard to argue that PHP syntax (much like that of JavaScript) wouldn't substantially benefit from a complete reboot. I'm actually sad no one has considered this. Why not make a new language that keeps the good parts (stateless request scripts, etc.) and dumps all the bad things?
I feel similarly re the Fractal of Bas Design blog post, I do remember agreeing with much of it back in the day. But thankful to be enjoying so many more improvements to the language today. Having said that, I’m curious to know what specifically you’d drop from the language if it were to reboot the syntax? I think a PHP ‘superset’ language which compiles down to pure PHP (a la TypeScript) could be an interesting idea.
I had hopes for Hack but that went nowhere. I couldn't convince php devs who disliked php to try it 😂
Nice history of PHP and overview of things around it. I didn't hear anything beyond the unsupported dismissal of the entirety of "Fractal of Bad Design" in the way of defense. Going through that point by point would take half your time so I didn't expect you to do that. Some actual defense of the language rather than talking up the stuff piled on top of it would have been nice though.
I've written in PHP in the distant past but I had no idea it was such a dumpster fire back then. Still not great. Definitely not my language of choice for green field development. Too much of the "Fractal of Bad Design" stuff still applies to the base language despite what the speaker says (look at evidence based revisits of it by people defending PHP). It really needs a lot of work still before it's ready for use without frameworks and/or strict style guides covering over the foot-guns. The language itself should be consistent enough and predictable enough that developers have to try to do stupid stuff in order to do stupid stuff. Python for instance doesn't have *much* in the way of unexpected or inconsistent behavior. It's got problems too (like the GIL), but not many and *generally* esoteric and obscure rather than in commonly used comparison operators and types. You can find examples in an article called "Common Gotchas - The Hitchhiker's Guide to Python".
No language is perfect but PHP on its own is still bad in a lot of ways. I would class C and C++ with PHP in terms of needing substantial additional structure to be used without shooting yourself in the foot easily. If Python or Node.js or Ruby are too slow there's Go and Rust and Java (which are faster than PHP by a lot). All of those have their downsides but not as many as PHP. All of those have some form of asynchronous processing abilities and are good for more than just web backends.
you know what is funny, that in the same era 98-04, almost all languages sucked, but PHP was too much popular that is why got the hate.
PHP is way more handy than other languages for web apps.
People run away from understanding the server, that’s why they talk trash on PHP. Or they just want to be lazy by not doing the hard work of learning the whole ecosystem.
I hate php but Laravel is amazing
Very good info but FYI it's spelled Defense.
You're so American.
In defence of PHP:
No!
is there still PHP? 😂😂
Are you living under a rock?
Bruh, almost the whole Internet is restin' in PHP
"In defence of PHP".
The amount of effort spent over the years in 'defending PHP' for this or that issue is just not worth it.
PHP is flawed on so many levels that you'll be better off learning another language from scratch.
I guess every language has its purpose and role in this world. PHP is really good for web. Its package and tooling systems is quite big.
Is less flawed than JavaScript, which is not as mocked as php.
The whole PHP hate bandwagon is so funny in 2023. Like all bandwagons, most people don't understand why they are on it. People who mock it in 2023 likely have not used it in the past 10 years, if at all. PHP 8 is a totally different beast from < PHP5. Aside from being fully-fledged OO, strongly typed (optional but still present), accessible and easy to implement multithreading via pThreads module, it puts security above performance out of the box, but also performance has skyrocketed between versions 7 and 8. Combined with the right framework it's probably the best option for a web-focused programming language with quick turnaround.
The only reason why these '"in defence of PHP" videos exist at all is to wake people up to the fact that PHP has come a super long way, but they haven't been paying attention.
Man... JS is way more flawed than PHP yet is less mocked... I guess you either have never used PHP or you stopped using it 10 years ago... PHP now is a completely different language than what it has been
It needs a lot effort because people like you, that reads the title and vomit that "PHP is flawed", I bet you can't even point what are these "flaws"