The recent post about what people are using for webmail got me thinking about a perhaps irrational policy I have with my own self-hosted software: I don’t install anything written in PHP, because I have this vague notion that PHP software is often insecure. I think I probably got this idea because years ago I saw all the vulnerabilities in PHP webmail clients and PHP software like Wordpress and decided that it was the language’s fault—or at least a contributing factor.

Maybe this isn’t fair. Maybe PHP is just more accessible to new devs and so they’re more likely to gravitate to it and make security mistakes. Maybe my perception isn’t even accurate, and webmail / blog software written in other languages is just as bad—but PHP gets all the the negative attention because it’s so prevalent for web apps. Maybe my policy was a good idea, years ago, but now it’s just out of date.

To be clear, I’m not trying to stoke the flames of a language holy war here or anything. I’m honestly asking: Is it maybe time to revisit my anti-PHP policy? I’m looking longingly at some federated software like Pixelfed and wondering if maybe I’m just being a little too close-minded.

So I’m interested in your own experiences and polices here. Where do you draw the security line for what you will or won’t host, and what made you make that choice?

  • TheHolm
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Language where use of uninitialized variable is warning ( not a core dump) should not be used. IT mostly in the past for modern PHP, but bad programmers habits remains. I have seen so horribly written PHP project, so i prefer to stay away.

    • Martijn🐖@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Easy solvable. Develop in strict mode with all notices enabled. Should be the default for any developer.

    • witten@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thanks for weighing in. That’s historically been my take as well, although as of this thread I’m starting to wonder if modern PHP can be better and/or particular projects can be.

      • TheHolm
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        My opinion that language have changed, but people who use it are mostly same. Anyone who starting working in WebDev now will not use PHP, it is no longer a good tool. Like perl, it is still around, lots of software depends on it. But hardly any new stuff will be written on it. And it is programmers who define quality of the code, if you learn to code on language which promote bad practice it is really hard to change.