What's wrong with PHP?
June 22, 2006 1:52 PM Subscribe
Are PHP/mySQL applications inherently insecure and unstable?
In my work I often have to try out new (to me and my company) web applications, and assess their suitability for our needs. Many of the applications I am trying out are open source, PHP/mySQL based, such as Moodle, Wordpress and MediaWiki. They all seem to work well and I'm quite happy with them. But I am constantly being told by people (our own IT dept, consultants, our ISP etc) that they are badly written, incompatible with MS systems, unreliable, security risks etc etc. Our IT dept will not support them, our ISP will not host them (they use asp). Is this just unfounded prejudice, or should I be more aware of potential problems these apps may cause in a business environment. If the former, what arguments will best make my case.
In my work I often have to try out new (to me and my company) web applications, and assess their suitability for our needs. Many of the applications I am trying out are open source, PHP/mySQL based, such as Moodle, Wordpress and MediaWiki. They all seem to work well and I'm quite happy with them. But I am constantly being told by people (our own IT dept, consultants, our ISP etc) that they are badly written, incompatible with MS systems, unreliable, security risks etc etc. Our IT dept will not support them, our ISP will not host them (they use asp). Is this just unfounded prejudice, or should I be more aware of potential problems these apps may cause in a business environment. If the former, what arguments will best make my case.
There's two camps in the world of webapps: Microsoft and Open-Source.
Microsoft advocates want to use .Net for everything, and claim that everything else is insecure and completely unsupportable.
Open-source advocates want to use either PHP, Ruby, Perl::Mason, or whatever the new flavor of the week is to write an application, and back it with Postgres or MySQL all running ona Linux server. They claim that anything else is kludgy, insecure ("look at all the patches MS releases!"), unstable, and slow.
The problem is that it's a religious debate. There's data that both sides can use to "prove" their point, and it comes down to personal preference. The truth is that both are decent platforms from which to write an application, and the one that your IT department or other hired guru is more familiar with is the best. The worst thing for an IT department to do is kludge together it's environment with a bunch of systems running different operating systems.
FWIW, you can run PHP/Apache on a Windows server.
posted by SpecialK at 1:59 PM on June 22, 2006
Microsoft advocates want to use .Net for everything, and claim that everything else is insecure and completely unsupportable.
Open-source advocates want to use either PHP, Ruby, Perl::Mason, or whatever the new flavor of the week is to write an application, and back it with Postgres or MySQL all running ona Linux server. They claim that anything else is kludgy, insecure ("look at all the patches MS releases!"), unstable, and slow.
The problem is that it's a religious debate. There's data that both sides can use to "prove" their point, and it comes down to personal preference. The truth is that both are decent platforms from which to write an application, and the one that your IT department or other hired guru is more familiar with is the best. The worst thing for an IT department to do is kludge together it's environment with a bunch of systems running different operating systems.
FWIW, you can run PHP/Apache on a Windows server.
posted by SpecialK at 1:59 PM on June 22, 2006
Oh, and as far as arguments: "I need an application that does "X" very well. I've identified this application, but it doesn't run in our environment. Do you know fo an application that works well in our environment and meets my needs?" and keep bucking that up. Make it a question of business needs instead of a religious operating system debate.
posted by SpecialK at 2:00 PM on June 22, 2006
posted by SpecialK at 2:00 PM on June 22, 2006
Unfounded prejudice from MSCEs or vendors trying to sell you into the tangled web of Microsoft products. Everything you've mentioned works just fine under a Windows system.
In the IT world, the best way to change minds is to simply go around people and create and manage services that have a mix of these magic ingredients:
• most importantly, it should work
• it should provide better usability
• it should provide better uptime
• it should cost less
Since PHP and MySQL are free platforms on which to run free applications like MediaWiki, there is little to lose in the investment of capital into these options.
There is some time in learning how to configure these services, so if your time is not free, then that's a consideration. Basic security is a consideration, but then that would be the case with any service that can be used by anyone other than yourself. Keep on top of security bulletins and so forth — you'll be fine.
I've customized a few MediaWikis and I would consider myself a reasonably knowledgeable MySQL administrator (and SQL programmer, although that's not needed for running MediaWiki). The reliability and speed versus cost makes their use unquestionable, given how easy they make my life, and how useful they are to my users.
posted by Mr. Six at 2:02 PM on June 22, 2006
In the IT world, the best way to change minds is to simply go around people and create and manage services that have a mix of these magic ingredients:
• most importantly, it should work
• it should provide better usability
• it should provide better uptime
• it should cost less
Since PHP and MySQL are free platforms on which to run free applications like MediaWiki, there is little to lose in the investment of capital into these options.
There is some time in learning how to configure these services, so if your time is not free, then that's a consideration. Basic security is a consideration, but then that would be the case with any service that can be used by anyone other than yourself. Keep on top of security bulletins and so forth — you'll be fine.
I've customized a few MediaWikis and I would consider myself a reasonably knowledgeable MySQL administrator (and SQL programmer, although that's not needed for running MediaWiki). The reliability and speed versus cost makes their use unquestionable, given how easy they make my life, and how useful they are to my users.
posted by Mr. Six at 2:02 PM on June 22, 2006
unfounded prejudice.
finding security holes in MS systems is like finding holes in swiss cheese. they are plentiful. It's also often written poorly. They are also often unreliable. Not to say that open-source software can't have issues. It's just that the reasons your IT people give don't describe issues specific to open-source, and all of them seem to plague MS stuff more.
that wikipedia (mediawiki-based) sure isn't working in a production environment, is it ;)
But seriously, open-source software is all over enterprise environments. Summarily dismissing software because it's open-source is just stupid.
posted by mcstayinskool at 2:07 PM on June 22, 2006
finding security holes in MS systems is like finding holes in swiss cheese. they are plentiful. It's also often written poorly. They are also often unreliable. Not to say that open-source software can't have issues. It's just that the reasons your IT people give don't describe issues specific to open-source, and all of them seem to plague MS stuff more.
that wikipedia (mediawiki-based) sure isn't working in a production environment, is it ;)
But seriously, open-source software is all over enterprise environments. Summarily dismissing software because it's open-source is just stupid.
posted by mcstayinskool at 2:07 PM on June 22, 2006
Response by poster: Thanks, good responses. Does anyone know of any studies or whatever which would back up these points, and add weight. An example. Our ISP, who built and maintain an asp based website and CMS refused to host Moodle for security reasons. This carries weight with the higher-ups, who don't know asp or PHP from a hole in the ground. Some sort of solid reference, or comparison study would be extremely useful in countering the "these guys know what they are talking about, let's do what they tell us" response I am getting.
I wouldn't mind hearing from the opposition either
posted by aisforal at 2:28 PM on June 22, 2006
I wouldn't mind hearing from the opposition either
posted by aisforal at 2:28 PM on June 22, 2006
Older PHP/MySQL apps are insecure, but people have pretty much figured out how to write secure apps. They're not (in my experience) unstable. IIS always struck me as more unstable.
If you're going to install a PHP app, look for the latest version, and do a web check for the name of the app plus the word "exploit" to see if there's anything you should know.
Badly written PHP applications seem especially prone to SQL injection attacks, but so are badly written ASP applications. Like all things, it's not about the platform it's about the application you're running on that platform. As long as you do your homework, you should be OK.
Having said that, you're not going to change anyones mind. Moodle, Wordpress and MediaWiki will probably have ASP analogs. I'd try and hunt those down before getting into what is essentially a religious argument.
Don't be too hard on your IT department also. They understand IIS and they'll find it easier to support IIS. This isn't some "We're blind to other solutions because we have MSCE's" thing, it's more likely to be them trying to steer you in a direction which (a) allows them to support you well without requiring extra skill sets (with all the extra time and risk that entails)
If you really need an App which can only run on PHP and MySQL, consider getting some hosting with a different company which is completely separate from the I.T. Department.
posted by seanyboy at 2:33 PM on June 22, 2006
If you're going to install a PHP app, look for the latest version, and do a web check for the name of the app plus the word "exploit" to see if there's anything you should know.
Badly written PHP applications seem especially prone to SQL injection attacks, but so are badly written ASP applications. Like all things, it's not about the platform it's about the application you're running on that platform. As long as you do your homework, you should be OK.
Having said that, you're not going to change anyones mind. Moodle, Wordpress and MediaWiki will probably have ASP analogs. I'd try and hunt those down before getting into what is essentially a religious argument.
Don't be too hard on your IT department also. They understand IIS and they'll find it easier to support IIS. This isn't some "We're blind to other solutions because we have MSCE's" thing, it's more likely to be them trying to steer you in a direction which (a) allows them to support you well without requiring extra skill sets (with all the extra time and risk that entails)
If you really need an App which can only run on PHP and MySQL, consider getting some hosting with a different company which is completely separate from the I.T. Department.
posted by seanyboy at 2:33 PM on June 22, 2006
e.g. This was found when searching for moodle exploit.
To be honest, I'd have doubts about hosting it too.
posted by seanyboy at 2:36 PM on June 22, 2006
To be honest, I'd have doubts about hosting it too.
posted by seanyboy at 2:36 PM on June 22, 2006
I have to say, if you're dealing with a department that's thoroughly Microsoft-centric then you're probably wasting your time trying to introduce open source software. They won't want to install and maintain Apache/PHP/MySQL etc., some applications won't run as well under Windows and, perhaps most importantly of all, you're calling their careers and expertise into question. The Microsoft ecosystem is a safe place they won't want to leave.
Some security fears are well-founded (an awful lot of PHP apps are riddled with holes), but the "potential problems these apps may cause in a business environment" is more about a clash of cultures and different skill sets. Any change you can achieve is likely to be slow and difficult.
posted by malevolent at 2:54 PM on June 22, 2006
Some security fears are well-founded (an awful lot of PHP apps are riddled with holes), but the "potential problems these apps may cause in a business environment" is more about a clash of cultures and different skill sets. Any change you can achieve is likely to be slow and difficult.
posted by malevolent at 2:54 PM on June 22, 2006
you're calling their careers and expertise into question. The Microsoft ecosystem is a safe place they won't want to leave.
Yes.
posted by sonofsamiam at 3:02 PM on June 22, 2006
Yes.
posted by sonofsamiam at 3:02 PM on June 22, 2006
Php is easy to write badly e.g so that sql injection attacks are easy to mount. My understanding is that asp suffers from similar problems. External libraries called by both can also suffer from security holes. Also php has severe namespace pollution problems that increases the tendancy to write spaghetti code with it. Again this is a problem with asp as well.
I like Catalyst a perl based platform for writing web applications. Also has a plugin to Php::Interpreter so that you can fold your legacy php scripts into catalyst applications, or if you want someone who speaks only php to provide a significant amount of business logic for your system.
For what it's worth I'm having the same kind of problem with this in a university setting. Your advantage with the open source stack is that you can implement using your time only - no software licences required, so the potential to provide significant added value via the "back channel" is high, and can provide a compelling business case.
posted by singingfish at 4:03 PM on June 22, 2006
I like Catalyst a perl based platform for writing web applications. Also has a plugin to Php::Interpreter so that you can fold your legacy php scripts into catalyst applications, or if you want someone who speaks only php to provide a significant amount of business logic for your system.
For what it's worth I'm having the same kind of problem with this in a university setting. Your advantage with the open source stack is that you can implement using your time only - no software licences required, so the potential to provide significant added value via the "back channel" is high, and can provide a compelling business case.
posted by singingfish at 4:03 PM on June 22, 2006
they are badly written, incompatible with MS systems, unreliable, security risks etc etc.
I can't speak for Moodle, but MediaWiki and Wordpress are well-written code, compatible with IIS (but not SQL Server), reliable, and pose less security risk than IIS itself. However, there is a lot of badly written PHP that is incompatible with MS systems, is unreliable, and poses security risks, so such comments are not entirely off-base, just not applicable to the specific tools you're looking at.
posted by scottreynen at 4:25 PM on June 22, 2006
I can't speak for Moodle, but MediaWiki and Wordpress are well-written code, compatible with IIS (but not SQL Server), reliable, and pose less security risk than IIS itself. However, there is a lot of badly written PHP that is incompatible with MS systems, is unreliable, and poses security risks, so such comments are not entirely off-base, just not applicable to the specific tools you're looking at.
posted by scottreynen at 4:25 PM on June 22, 2006
Any of the web servers, or web programming languages, can be a nightmare in the hands of someone who doesn't know what they're doing. From that perspective, your IT departments' ignorance of -- and resistance to becoming better informed about -- Apache/MySQL/PHP is reason enough for your company to steer clear of these technologies. Because in these yo-yo's hands, big ugly problems will undoubtedly arise.
However, putting aside that issue, in answer to your questions: yes, it's a crock.
Yahoo is the popular example to throw back in response to the various knee-jerk claims that PHP or MySQL isn't up to snuff. They've used PHP on the backend since at least 2002, serving 'billions of page views per day'. They also promote PHP usage rather heavily. Jeremy Zawodny (author of books on MySQL enterprise usage) is an engineer in charge of deploying and tuning Yahoo's MySQL databases. They also have long used Perl, Apache, C++... If any of these technologies were inherently insecure or unstable, there's no way Yahoo would stake its income on it.
posted by nakedcodemonkey at 4:32 PM on June 22, 2006
However, putting aside that issue, in answer to your questions: yes, it's a crock.
Yahoo is the popular example to throw back in response to the various knee-jerk claims that PHP or MySQL isn't up to snuff. They've used PHP on the backend since at least 2002, serving 'billions of page views per day'. They also promote PHP usage rather heavily. Jeremy Zawodny (author of books on MySQL enterprise usage) is an engineer in charge of deploying and tuning Yahoo's MySQL databases. They also have long used Perl, Apache, C++... If any of these technologies were inherently insecure or unstable, there's no way Yahoo would stake its income on it.
posted by nakedcodemonkey at 4:32 PM on June 22, 2006
PHP requires an inhuman amount of dilligence in order to avoid common vulnerabilities, like SQL injection attacks. It is also extremely easy to pick up. These characteristics do not play well together. It's a lot of rope for a community of folks who tend to stick their necks through knotted loops.
posted by Coda at 4:38 PM on June 22, 2006
posted by Coda at 4:38 PM on June 22, 2006
You could also turn the question around this way: is the IT department running an application firewall? If not, why not?
posted by gimonca at 8:25 PM on June 22, 2006
posted by gimonca at 8:25 PM on June 22, 2006
PHP requires an inhuman amount of dilligence in order to avoid common vulnerabilities, like SQL injection attacks.
Nonsense. Any number of PHP applications are written without using any DBMS -- no SQL injection vulnerablity there. And for those that do use a DBMS, what "inhuman amount of diligence" does it take to avoid that attack with PHP as compared to ASP .NET? Language choice doesn't make it the threat; it's idiot programmers who accept user values without doing any sanity checks. In any language, that's stupidity that WILL be exploited.
posted by nakedcodemonkey at 8:52 PM on June 22, 2006
Nonsense. Any number of PHP applications are written without using any DBMS -- no SQL injection vulnerablity there. And for those that do use a DBMS, what "inhuman amount of diligence" does it take to avoid that attack with PHP as compared to ASP .NET? Language choice doesn't make it the threat; it's idiot programmers who accept user values without doing any sanity checks. In any language, that's stupidity that WILL be exploited.
posted by nakedcodemonkey at 8:52 PM on June 22, 2006
Coda: Depends on how you write PHP. I, for instance, abstract my SQL and do sanity checks and character transformations before I even think about running an insert. I don't have to think about it, so therefore it doesn't require a
There's lots of good libraries that will do this ... propel, adodb, etc. It's not inhuman at all, compared to ... oh, .net and mssql for instance... :-P
posted by SpecialK at 10:06 PM on June 22, 2006
There's lots of good libraries that will do this ... propel, adodb, etc. It's not inhuman at all, compared to ... oh, .net and mssql for instance... :-P
posted by SpecialK at 10:06 PM on June 22, 2006
PHP requires an inhuman amount of dilligence in order to avoid common vulnerabilities, like SQL injection attacks. It is also extremely easy to pick up. These characteristics do not play well together. It's a lot of rope for a community of folks who tend to stick their necks through knotted loops.
The point is that exactly the same is true of ASP. There's nothing magically dangerous about PHP.
posted by chrismear at 1:23 AM on June 23, 2006
The point is that exactly the same is true of ASP. There's nothing magically dangerous about PHP.
posted by chrismear at 1:23 AM on June 23, 2006
This thread is closed to new comments.
MySQL is not the most scalable database to use for large applications, but I've not heard it maligned for security. I think people like it because it's free, featureful, and easy.
badly written, incompatible with MS systems
Sounds like your IT guys are very Microsoft-centric. They fear things they didn't learn about in their MCSE classes.
posted by scarabic at 1:57 PM on June 22, 2006