Hacker News new | ask | show | jobs
by dartos 788 days ago
Security in php is a headache.

Many crud apps which separate the frontend and backend have form validation and sanitization on the frontend and backend (partly by virtue of converting raw input into escaped json strings), but IIRC isn’t as straightforward in php.
4 comments
echoangle 788 days ago
Im not sure what’s so hard about doing it in PHP. Can I not just get all the data from the GET/POST-Data-Assocarray, get the form fields I want, and put them into a prepared statement to save them to the DB? What’s the vulnerability here? Maybe add an CSRF Token for extra security and I think you’re done, or am I missing something?
link
omnimus 787 days ago
You are not. Its same security any other stack would do.

This “PHP security is terrible” is mostly because people remember stories from 20 year ago (when none of the cool stacks didnt even exist) and things like Worpdress the most targeted cms/framework in the world.

I have suspicion that if Vercel/next powered 60% of web than its security reputation wouldnt be great either.

PHP is flawed but so are all the other stacks. PHP is old but that doesnt mean its not being updated or up to date. If anything its boring.

link
kugelblitz 788 days ago
Security in vanilla php using old tools is a headache.

I use Symfony and using the form component (https://symfony.com/doc/current/components/form.html) you can achieve much of what is needed.

If you use the framework as well (which is very modular nowadays) you also have security built-in (https://symfony.com/doc/current/forms.html).

But probably not as fast as a "quick and loose" approach if you don't know Symfony yet, but extendible and secure (if you do know Symfony, it might be faster than the vanilla php approach, because you can avoid much of the "generic" code, the validators, the error handling, avoid SQL and XSS injection).

link
pbowyer 788 days ago
> Security in php is a headache.

It really isn't.

link
theamk 788 days ago
what are the possible security problems in this case (grab all form data and stuff to database)?

The only one I can think of is SQL injection, but that's trivial to fix with placeholders.

link