undefined | Better HN

0 pointsrglullis5y ago0 comments

I wasn't hosting the blog. It was on webfaction.

> infinite number of websites built in PHP and never got hacked!

If I look at the logs of my webservers and scan for bots trying to exploit some vulnerability, I would guess that 80%+ of the URLs would indicate a PHP-based webapp. So, yeah, there are many that never got hacked but there are certainly a good amount of PHP apps that have some vulnerability. Should we blame all the developers who were "doing it wrong" or should we at least make sure that the language is not facilitating such shots-in-their-feet?

0 comments

jjeaff5y ago

Well, php is thought to power something like 80-90% of websites. So you are seeing either the same or disproportionately fewer php sites than you should if php were in fact less secure.

But php has been around on the web for a long time as well, so there are a lot of unpatched softwares out there like WordPress.

Probably near 99% of those compromised servers run on Linux, so by your logic, Linux is much more secure than windows servers, right?

rglullisOP5y ago

> So you are seeing either the same or disproportionately fewer php sites than you should if php were in fact less secure.

You'd have to assume that there is an uniform distribution of vulnerabilities and exploits through the whole set of languages used for web development for that to hold. You are begging the question.

> 99% of those compromised servers run on Linux

If the exploits manage to give the attacker root access to the OS, then yes it would be the problem of the OS. But the attack is to get access to the application. So the issue is at the application, not at the OS. You can argue that this is not the fault of the language, though. However given that a whole lot of the PHP defenders here are using "it is the easiest one to deploy" argument, one has to wonder if a platform that makes it so easy to deploy apps should also be held up for the issue of insecure apps based on it.

edoceo5y ago

You see lots of PHP because there is lots of PHP. The hits are because of wide adoption not language vulnerability.

j / k navigate · click thread line to collapse