Hacker News new | ask | show | jobs
by crumpets 2512 days ago
No, you're not right. How you render CSS and the page have very little to do with how secure your app is.

SQL escaping, session handling, etc all come easily with standard php libraries. So "I didn't bother with any PHP frameworks" doesn't mean the dev wrote an SQL connector.
1 comments
diminoten 2512 days ago
I'm sorry if you thought I meant CSS rendering was the source of potential vulnerabilities, but for any website that has, say, users, if you're not using any PHP frameworks or external libraries you might have to implement some crypto of your own to store passwords securely, just for starters. I don't think PHP offers a standard library to do that, does it?

There are a hundred examples that are specific to whatever app this guy built for the Healthcare company, not all of which are covered by the PHP standard library...

I believe him when he says it passed external/internal auditing, however I have a very hard time believing he's not either very very expensive or took a very very long time to get the app to the place he claims it is (the third option is that it does very little, which won't actually end up being a good thing once the client gets over the honeymoon phase of "it's so much prettier!!!").

Further, the expertise I do bring to this conversation is in software development, and I can say assuredly that a one-man development team using no 3rd party libraries is definitely creating a codebase nigh unmaintainable by other people down the line. His bragging about creating job security for 2 years is honestly an understatement; he's got job security for the life of the products he's creating, as he's likely the only person who can do anything more with the website in a time frame that isn't measured in years.

link
jasonlotito 2512 days ago
> I don't think PHP offers a standard library to do that, does it?

https://www.php.net/manual/en/password.installation.php

"There is no installation needed to use these functions; they are part of the PHP core."

The functions are common knowledge in the community, and made to be easy to use.

> Further, the expertise I do bring to this conversation is in software development, and I can say assuredly that a one-man development team using no 3rd party libraries is definitely creating a codebase nigh unmaintainable by other people down the line.

They said, "No frameworks." They didn't say no libraries. Some people make a distinction between the two, others don't. You are taking the stance that they mean they mean the same thing. Realize that others don't consider them the same thing.

Further, the expertise I do bring to this conversation is in software development, and I can say assuredly that someone who doesn't know the nuances between libraries and frameworks in the software development world can't make the claim to have expertise in the software development world. =)

link
diminoten 2512 days ago
I don't think someone nitpicking between the definition of the words "framework" and "library" is engaging in this conversation honestly, and I'm pretty sure that your failure to address the "this is but one of hundreds of examples, not all of which are covered by standard libraries in PHP" comment I made is further justification of that belief.
link
jasonlotito 2511 days ago
> I don't think someone nitpicking between the definition of the words "framework" and "library" is engaging in this conversation honestly

I think it is, especially since you are nitpicking on it. I'll explain.

If the original poster is using libraries but not frameworks, and feel there is a distinction (and judging by the post, it's clear they feel that way), then they are using libraries, just not frameworks.

Therefore, when you say this: "a one-man development team using no 3rd party libraries" in the context of the discussion, you are making stuff up. No where does the original post suggest or otherwise say that they aren't using 3rd party libraries (quite the opposite).

For your comment to hold up, you need framework and libraries to be the same. However, by pointing out that often times developers see them as different (generally libraries make up frameworks), I'm making it clear that your conclusion is misinformed.

> I'm pretty sure that your failure to address the "this is but one of hundreds of examples, not all of which are covered by standard libraries in PHP" comment I made is further justification of that belief.

I addressed directly the one example you provided. You didn't provide hundreds. You provided one. I provided the answer out of courtesy, as you asked a direction question. Saying answering your direct question is justification of my dishonesty is insulting and childish.

Further, the fact that you are mistaken on the concept of the common use of library vs framework, I felt that your claim of "hundreds of examples" was hyperbole and ignorance. Maybe you can provide hundreds of examples where PHP and libraries written in PHP cannot solve problems that only fully fledged frameworks can provide? Keep in mind that libraries exist for many different things and since frameworks are made up of libraries, there is almost nothing relevant that a framework can do that libraries can't.

link
mdemare 2512 days ago
In the context of web development, they are generally considered as distinct.
link
diminoten 2512 days ago
Not the argument, nor is it relevant, hence the discussion about it being disingenuous.
link
aiiane 2512 days ago
> if you're not using any PHP frameworks or external libraries you might have to implement some crypto of your own to store passwords securely, just for starters. I don't think PHP offers a standard library to do that, does it?

It does, actually: https://www.php.net/manual/en/intro.password.php

link
wolco 2512 days ago
"There are a hundred examples that are specific to whatever app this guy built for the Healthcare company, not all of which are covered by the PHP standard library."

You would need to implement whatever custom code required or use a libruary. You would need to do the same with a framework. No framework offers business health care functionality. Do you think laravel has an ocr skin cancer detector package?

PHP is fast to write. Hearing people from the outside saying its impossible to write a php site that quickly makes me laugh. PHP makes development easy.

link
hnick 2512 days ago
"PHP is fast to write. Hearing people from the outside saying its impossible to write a php site that quickly makes me laugh. PHP makes development easy."

Yeah that's odd to me too. I mean, that's pretty much the biggest argument against using PHP (well it was, back in the day). Bad sites written easily by inexperienced programmers.

link
diminoten 2512 days ago
PHP isn't the problem, the claim that there are no security issues despite hand rolling every feature is the issue, and it's in no way accurate.

A lot of bad software engineering going on in these comments, downvotes don't change that...

link