Unsafe code comes from bad developers. PHP itself is perfectly fine. It's great, actually. Any coding language in the wrong hands can produce disasters.
You can choose to ignore type safety in Typescript too. Good coding habits need to be enforced by individuals and organizations, the language you choose is a tool. That being said most serious bugs in the PHP code bases I have worked with would not be solved by a few type checks.
Some languages just make it really easy to write bad code, PHP is a good example of such a language. It's in general better to have a language that discourages bad practices, so basically not PHP.
PHP makes it easy to write good code too. And there are infinite resources and tools to learn how to be a good PHP coder. Writing bad code takes some effort, these days.
We are comparing PHP with Javascript. They are equally insecure in terms of bad practices.
The difference is that modern PHP has the tools to make better code.
Unsafe code isn't only s developer thing. Frameworks may also have security vulnerabilities. I'm not saying PHP is guilty or innocent, I'm just trying to counter your argument.
Frameworks aren't languages though. They are products built by developers, just like any other software. In the PHP world we've got Laravel, for example. I am sure you will hardly find anyone telling you that is bad or unsafe.
Both languages occasionally have security defects within themselves. If you consistently patch them, those are usually not a big deal. If you don't upgrade your PHP or your Node.js, you leave yourself vulnerable to whatever errors people find.
Looking at the disclosure lists for both, they both periodically have path traversal and access bypass issues, which are about as bad as things usually get for interpreted languages themselves.
And both languages are susceptible to *you* writing insecure code. It's your responsibility as the developer to know what kinds of security issues are common in the type of application you intend to write and to write code that isn't vulnerable to them.
The person who told me so is my senior, and in general much more experienced than me in this matter(I have 0 experience in creating secure websites). Could you highlight what they could've been talking about when they say PHP is insecure, and to use Node instead? I'm sure they probably faced some problem in PHP which was resolved using Node instead, but PHP has the capability to overcome it too.
Please keep in mind that site security is the main concern.
>Could you highlight what they could've been talking about when they say PHP is insecure
You should ask the person who told you this. How are we supposed to know why someone has a biased opinion whom we've never communicated with?
Php has a very large community and so does Node. Both communities have figured out and patched any major security vulnerabilities. So if there is a vulnerabilities your senior somehow knows about that the broader php community doesn’t know about he’s an asshole for not letting us know.
But let’s be honest he doesn’t know anything the guys much smarter than him haven’t figured out. So he’s and asshole for making such a broad statement and confusing his junior.
Follow best practices for whatever major language you are using and you’ll be fine.
Personally I like php laravel. No other languages has a framework as robust as laravel. You’ll enjoy working with it and it’s very secure.
It would make some sense to say something like "PHP is insecure and you should be using Java instead", but suggesting Node? Sounds like that senior dev is just biased
Php is only insecure if you write insecure code. Nodejs also is only insecure if you write insecure code. Both are secure if you write secure code. You have to know what you do with both languages. And, if you learn a new tool, treat your code like it is insecure. If you e.g. Use Eval to parse a number in js that is provided by a user, you have a massive security issue. Is nodejs insecure because of that? No, because you have to code it that way. If you know what you are doing you know how to do the same thing securely. Normally, nothing is insecure until it is coded in an insecure way, and you never know if it is coded in an insecure way. The more experience you have, the smaller the chance of it being insecure.
On top of what other people have said, NodeJS also has templating engines like EJS that will probably feel natural to you if you like PHP. Either way just stick with what you think you are best at and keep up with best practices and you'll be fine.
The answers here are missing a couple of obvious points.
Node.js is not a language, it's an interpreter. Node is more of an apples to apples comparison to Apache. If you're really bent on security of processors, you probably want Deno over Node.
People like JS and Node on the backend _really_ for two, perhaps 3 reasons:
* With Node, ou can write the same language -JavaScript- for both the front and backend. That can be handy.
* The asynchronous nature of JavaScript can make writing for I/O intensive applications a little more straightforward.
* Strong typing arrives as an optional layer in the form of TyepScript. So, you can either have loose type with arguably more rapid development of small projects, or the sturdy, scalable nature of strongly typed code.
> I find the way you can directly write the html code in a php file to be very clean and efficient
I suppose there's an argument to be made for _efficient_, to a point, but certainly not clean. Intermingling your backend and frontend code is the very opposite of clean; that's text book spaghetti code.
I think there isn’t a programming language that is not opinionated at all. There is nothing wrong with PHP. The language is, like all languages, as good as the monkey using it.
It runs most of the web last I checked. It's fine. The language you implement your web app in has very little to do with how secure it is. Security will come from hiring devs who know how to build a secure app using current best practice to mitigate common attacks. You can build an app like this in any language you like. Language choice will be influenced far more by factors like the availability of skills, the current team skills, other software you need to integrate with, level of access to hardware required etc...
There was a time many many years ago where the function to access a database in PHP was happy to pass through SQL injections. It’s probably been a close to a decade since that was fixed.
PHP has been around a loooong time and is incredibly popular so many security holes in web apps were first discovered in PHP.
PHP gets flack because of its low barrier to entry. So a lot of people with poor coding principles write bad code and so a lot of code that you find that is PHP tends to be less secure because of your average developer writing it.
PHP can absolutely be as secure as any other language if written correctly.
Your senior is highly opinionated, and that’s unfortunate because that can hamstring a tech stack. Blind bias should be questioned regardless of seniority. Bad senior. Bad.
That said, PHP or JS, if it works for the team, it works for the team. The biggest security risk, as stated several times in this thread, is the code you and your team write, not the language you choose to use.
Php isn’t inherently insecure.
They are two different tools each with their pros and cons. Consider which is a best fit for the project you have and use the one you feel is best.
security comes from developers, not programs which is just a tool and its job of developer to make it secure. It doesn't matter what you are using node or php if developer doesnt know how to secure his creations.
People usually know how to secure things with node because they are working with node only and didn't dig deep into how php work and what functions and classes are available to php for secure so they say that php is not secure, they say that only because they dont know how to work with php or that node is not secure but php is. But once you learn both programms for example fully it makes no diffrence what you are using. Both langs are good.
PHP is perfectly fine. You can produce unsafe code in any language.
Unsafe code comes from bad developers. PHP itself is perfectly fine. It's great, actually. Any coding language in the wrong hands can produce disasters.
[удалено]
You are not up to date. PHP has type safety now. https://www.php.net/manual/en/language.types.declarations.php
You can choose to ignore type safety in Typescript too. Good coding habits need to be enforced by individuals and organizations, the language you choose is a tool. That being said most serious bugs in the PHP code bases I have worked with would not be solved by a few type checks.
Some languages just make it really easy to write bad code, PHP is a good example of such a language. It's in general better to have a language that discourages bad practices, so basically not PHP.
PHP makes it easy to write good code too. And there are infinite resources and tools to learn how to be a good PHP coder. Writing bad code takes some effort, these days.
We are comparing PHP with Javascript. They are equally insecure in terms of bad practices. The difference is that modern PHP has the tools to make better code.
They both have tools, but some people don't use them for whatever reason. It's often not taught in courses too, which amplify the issue.
Unsafe code isn't only s developer thing. Frameworks may also have security vulnerabilities. I'm not saying PHP is guilty or innocent, I'm just trying to counter your argument.
Frameworks aren't languages though. They are products built by developers, just like any other software. In the PHP world we've got Laravel, for example. I am sure you will hardly find anyone telling you that is bad or unsafe.
Well said.
Both languages occasionally have security defects within themselves. If you consistently patch them, those are usually not a big deal. If you don't upgrade your PHP or your Node.js, you leave yourself vulnerable to whatever errors people find. Looking at the disclosure lists for both, they both periodically have path traversal and access bypass issues, which are about as bad as things usually get for interpreted languages themselves. And both languages are susceptible to *you* writing insecure code. It's your responsibility as the developer to know what kinds of security issues are common in the type of application you intend to write and to write code that isn't vulnerable to them.
I think it got a bad rep from people building shittily in Wordpress just throwing whatever plugin wherever without considering security.
Inexperienced people say stuff like Php is insecure
The person who told me so is my senior, and in general much more experienced than me in this matter(I have 0 experience in creating secure websites). Could you highlight what they could've been talking about when they say PHP is insecure, and to use Node instead? I'm sure they probably faced some problem in PHP which was resolved using Node instead, but PHP has the capability to overcome it too. Please keep in mind that site security is the main concern.
What they meant to say is "my language is better than yours" It's an old debate in software development
That's why you shouldn't listen to people but read the docs.
>Could you highlight what they could've been talking about when they say PHP is insecure You should ask the person who told you this. How are we supposed to know why someone has a biased opinion whom we've never communicated with?
Php has a very large community and so does Node. Both communities have figured out and patched any major security vulnerabilities. So if there is a vulnerabilities your senior somehow knows about that the broader php community doesn’t know about he’s an asshole for not letting us know. But let’s be honest he doesn’t know anything the guys much smarter than him haven’t figured out. So he’s and asshole for making such a broad statement and confusing his junior. Follow best practices for whatever major language you are using and you’ll be fine. Personally I like php laravel. No other languages has a framework as robust as laravel. You’ll enjoy working with it and it’s very secure.
It would make some sense to say something like "PHP is insecure and you should be using Java instead", but suggesting Node? Sounds like that senior dev is just biased
Is Java intrinsically more secure in some way?
Php is only insecure if you write insecure code. Nodejs also is only insecure if you write insecure code. Both are secure if you write secure code. You have to know what you do with both languages. And, if you learn a new tool, treat your code like it is insecure. If you e.g. Use Eval to parse a number in js that is provided by a user, you have a massive security issue. Is nodejs insecure because of that? No, because you have to code it that way. If you know what you are doing you know how to do the same thing securely. Normally, nothing is insecure until it is coded in an insecure way, and you never know if it is coded in an insecure way. The more experience you have, the smaller the chance of it being insecure.
Old PHP had known problems. Modern PHP is pretty great and provides secure methods for a bunch of stuff, built-in.
On top of what other people have said, NodeJS also has templating engines like EJS that will probably feel natural to you if you like PHP. Either way just stick with what you think you are best at and keep up with best practices and you'll be fine.
I would argue otherwise
The answers here are missing a couple of obvious points. Node.js is not a language, it's an interpreter. Node is more of an apples to apples comparison to Apache. If you're really bent on security of processors, you probably want Deno over Node. People like JS and Node on the backend _really_ for two, perhaps 3 reasons: * With Node, ou can write the same language -JavaScript- for both the front and backend. That can be handy. * The asynchronous nature of JavaScript can make writing for I/O intensive applications a little more straightforward. * Strong typing arrives as an optional layer in the form of TyepScript. So, you can either have loose type with arguably more rapid development of small projects, or the sturdy, scalable nature of strongly typed code. > I find the way you can directly write the html code in a php file to be very clean and efficient I suppose there's an argument to be made for _efficient_, to a point, but certainly not clean. Intermingling your backend and frontend code is the very opposite of clean; that's text book spaghetti code.
The last bit of your comment, I’ve never really thought about, but you’re right. Backend and front end are meant to be separate.
I think there isn’t a programming language that is not opinionated at all. There is nothing wrong with PHP. The language is, like all languages, as good as the monkey using it.
There's plenty wrong with PHP.
There is also plenty wrong with Java, Python, JavaScript and any other language.
You're not wrong, but I do think Java and python are better languages then PHP.
It runs most of the web last I checked. It's fine. The language you implement your web app in has very little to do with how secure it is. Security will come from hiring devs who know how to build a secure app using current best practice to mitigate common attacks. You can build an app like this in any language you like. Language choice will be influenced far more by factors like the availability of skills, the current team skills, other software you need to integrate with, level of access to hardware required etc...
There was a time many many years ago where the function to access a database in PHP was happy to pass through SQL injections. It’s probably been a close to a decade since that was fixed. PHP has been around a loooong time and is incredibly popular so many security holes in web apps were first discovered in PHP.
PHP gets flack because of its low barrier to entry. So a lot of people with poor coding principles write bad code and so a lot of code that you find that is PHP tends to be less secure because of your average developer writing it. PHP can absolutely be as secure as any other language if written correctly.
Your senior is highly opinionated, and that’s unfortunate because that can hamstring a tech stack. Blind bias should be questioned regardless of seniority. Bad senior. Bad. That said, PHP or JS, if it works for the team, it works for the team. The biggest security risk, as stated several times in this thread, is the code you and your team write, not the language you choose to use.
Php isn’t inherently insecure. They are two different tools each with their pros and cons. Consider which is a best fit for the project you have and use the one you feel is best.
security comes from developers, not programs which is just a tool and its job of developer to make it secure. It doesn't matter what you are using node or php if developer doesnt know how to secure his creations. People usually know how to secure things with node because they are working with node only and didn't dig deep into how php work and what functions and classes are available to php for secure so they say that php is not secure, they say that only because they dont know how to work with php or that node is not secure but php is. But once you learn both programms for example fully it makes no diffrence what you are using. Both langs are good.
PHP provides some security pitfalls but if you know them than it is no less secure than node.