The recent post about what people are using for webmail got me thinking about a perhaps irrational policy I have with my own self-hosted software: I don’t install anything written in PHP, because I have this vague notion that PHP software is often insecure. I think I probably got this idea because years ago I saw all the vulnerabilities in PHP webmail clients and PHP software like Wordpress and decided that it was the language’s fault—or at least a contributing factor.
Maybe this isn’t fair. Maybe PHP is just more accessible to new devs and so they’re more likely to gravitate to it and make security mistakes. Maybe my perception isn’t even accurate, and webmail / blog software written in other languages is just as bad—but PHP gets all the the negative attention because it’s so prevalent for web apps. Maybe my policy was a good idea, years ago, but now it’s just out of date.
To be clear, I’m not trying to stoke the flames of a language holy war here or anything. I’m honestly asking: Is it maybe time to revisit my anti-PHP policy? I’m looking longingly at some federated software like Pixelfed and wondering if maybe I’m just being a little too close-minded.
So I’m interested in your own experiences and polices here. Where do you draw the security line for what you will or won’t host, and what made you make that choice?
Language where use of uninitialized variable is warning ( not a core dump) should not be used. IT mostly in the past for modern PHP, but bad programmers habits remains. I have seen so horribly written PHP project, so i prefer to stay away.
Easy solvable. Develop in strict mode with all notices enabled. Should be the default for any developer.
Thanks for weighing in. That’s historically been my take as well, although as of this thread I’m starting to wonder if modern PHP can be better and/or particular projects can be.
My opinion that language have changed, but people who use it are mostly same. Anyone who starting working in WebDev now will not use PHP, it is no longer a good tool. Like perl, it is still around, lots of software depends on it. But hardly any new stuff will be written on it. And it is programmers who define quality of the code, if you learn to code on language which promote bad practice it is really hard to change.