The recent post about what people are using for webmail got me thinking about a perhaps irrational policy I have with my own self-hosted software: I don’t install anything written in PHP, because I have this vague notion that PHP software is often insecure. I think I probably got this idea because years ago I saw all the vulnerabilities in PHP webmail clients and PHP software like Wordpress and decided that it was the language’s fault—or at least a contributing factor.

Maybe this isn’t fair. Maybe PHP is just more accessible to new devs and so they’re more likely to gravitate to it and make security mistakes. Maybe my perception isn’t even accurate, and webmail / blog software written in other languages is just as bad—but PHP gets all the the negative attention because it’s so prevalent for web apps. Maybe my policy was a good idea, years ago, but now it’s just out of date.

To be clear, I’m not trying to stoke the flames of a language holy war here or anything. I’m honestly asking: Is it maybe time to revisit my anti-PHP policy? I’m looking longingly at some federated software like Pixelfed and wondering if maybe I’m just being a little too close-minded.

So I’m interested in your own experiences and polices here. Where do you draw the security line for what you will or won’t host, and what made you make that choice?

  • tkoA
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    I wrote my personal website in PHP, and I’m pretty happy with the security I’ve got going on. I’m not an expert, but I paid close attention to best practices to avoid pitfalls like SQL injection. My instinct is that it’s certainly easy to code insecure applications in PHP (and probably many other languages as well), but the language does provide means by which to code safely.

    • witten@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Awesome, good to hear from an actual PHP dev. I assume then you’re also fine self-hosting third-party PHP applications? How do you make the call on whether it’s okay to host from a security perspective? The same as with software written in any other language?

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        It’s a good idea to invest time into hosting all your stuff in individual containers. You get lots of benefits that way, on top of isolation.

      • tkoA
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        If I’m being honest, I’ve never even looked to see what language most of the stuff I run is written in. Out of 16 apps that I’m running, only 3 are accessible from outside my LAN. Those three are high-profile open source projects that are actively maintained. That’s enough for me to be comfortable security-wise in my environment.