Learning PHP: Where's the security?

Oct 28

posted by Rob Barthle in Web Development, PHP | 2 Comments Bookmark and Share

A couple of things have struck me so far as I have been trying out basic tasks in PHP to get a feel for how they work. One immediate concern I have right now is database security in PHP.

The first red flag I have is PHP's insistence that you type in a username and password for the database user in the clear in your database connection code. To me this is just asking for potential trouble. Let's toss out this scenario - disgruntled PHP developer gets the boot. You now have to go and change the database username and/or password on the server in order to make sure things are secure, because that coder has the information he or she needs to get in and screw with the database, not just via PHP code, but with any client tool (assuming they have access inside your network, and let's be honest rarely is there a time when a disgruntled employee isn't that way while still being employed). Even if you code smart and just include your database connection strings in a function so you only have to make the change in one place, it's still a change that shouldn't have to be made.

Compare this to CF, which sets the database access information in the datasource creation in the CF admin. This allows a lot more internal security, as the only people that really need to know that access information are the DBA and the CF administrator (in many cases I imagine this may be the same person). The point is that you can really compartmentalize this information a lot better in CF than you can in PHP. The developers need only know the datasource name, nothing about usernames or passwords are passed along in that. In the case of the disgruntled employee, their access to teh database comes in a totally separate login that can be more quickly locked down without affect to other accounts and applications in the case you need to do so.

The other thing that so far has struck me (and I am sure that this is a pure lack of PHP knowledge on my part, but...) is that there does not seem to be a PHP answer to CFQUERYPARAM in terms of speed and simplicity for locking down your SQL queries from injection attacks. It looks like I need to dig into the mysqli() functions from what I can tell, but they don't seem as clean as CFQUERYPARAM is. File this one not so much under "PHP can't do this", but under the growing list of "PHP takes a lot longer to do this than CF".

Thoughts are appreciated on how or why this impression is incorrect.

This entry was posted on October 28, 2009 at 10:23 AM and has received 203 views. There are currently 2 comments. Print this entry.

I am becoming a PHP developer

Oct 6

posted by Rob Barthle in Web Development, PHP | 6 Comments Bookmark and Share

For over a dozen years now I have been coding web applications using ColdFusion, from version 3 all the way through version 8. I love ColdFusion, and given the choice I would choose it over any of the other server languages. Unfortunately, the people who pay the people who employ me are forcing me to go another route. It's not offical yet, but at the very least the Department of Education is adding the LAMP stack (Linux, Apache, MySQL, PHP) to it's preferred list of web development platforms, and I have heard opinions that it may displace ColdFusion in the future. So, in the interest of remaining gainfully employed, I am becoming a PHP developer.

The trick of this is that I am going to have to become proficient on my own time, they won't pay me to do this. So I am going to have to use my personal projects as training grounds for PHP. I have some work that I need to finish that I am going to keep in ColdFusion, and I am not going to rewrite sites in PHP, but new tasks on existing sites, and new sites, are going to be done primarily in PHP for the short run.

I am of multiple minds about this. On the one hand, diversification is a good thing for me and will make me more well rounded as a developer. But in beginning my jump into PHP, I am already finding why so many PHP developers become ColdFusion developers, and not the other way around. ColdFusion is way faster to code in, so many things are prepackaged in CF tags that you have to type out line by line in PHP. .

This entry was posted on October 6, 2009 at 1:00 AM and has received 210 views. There are currently 6 comments. Print this entry.