[Klug-general] Re: Apache, PHP and MySQL security

Matthew Macdonald-Wallace matthew at truthisfreedom.org.uk
Sat Jan 6 16:24:33 GMT 2007


On Sat, 2007-01-06 at 16:11 +0000, J D Freeman wrote:
> > I am aware that I could just set gentoo to install hardend versions of
> > everything, however I wouldn't learn as much that way!
> 
> Or alternatively when you trust the person who compiled it. Personally I
> think life is to short, and old hardware to cheap to screw around
> compiling every little thing from scratch (having watched a friend
> compile OO for over 2 weeks). I have met alot of the debian developers,
> and I trust their judgements. Not only that, but I trust them in the way
> they trust new people to join the debian project. The good ole web of
> trust.

Fair point, I guess I need to start meeting more developers from
Distros... :)

> SUSE and Redhat on the other hand, I do not trust, as I do not beleive
> they have the same level of paranoir in their compiling. They also push
> the releases to oftern IMHO. And yes, I do consider the fact debian
> takes bloody ages to release a new stable a feature, not a bug. 

> As for PHP and MySQL. If you want secure, don't use PHP. The very
> paradigm behind it fails miserably to even come close to the concept of
> secure. Not only this but it not only encourages, but makes it almost
> mandatory to write poor quality unmaintainable code. And as for the
> performance. Yuck. Consider Python as an alternative, or better yet, ask
> youself if you really need that dynamic back end to your page, I would
> say most sites that use PHP would be simpler for all if they just ran on
> a static html page, or maybe a server side include.

That's fair enough, and I'm starting to look at python have listened to
a few podcasts about it, however a lot of people who develop
web-applications using open-source software use PHP.  As I am planning
on running a very basic hosting service for some friends as a learning
curve for both myself and them, I believe that PHP is a must.

I completely agree with you that PHP/MySQL is overused on the net, I've
recently dropped the MySQL usage on a site I'm developing and I'm now
using PHP purely for ease of templating.  This could probably be done
using SSI or even Web 2.0 (WTF??!) however for the moment (and until I
learn more!) it's what I know.

> Finally, I am reminded of one of the Ubuntu developers describing the
> LAMP stack at FOSDEM last year:
> 
> L - linux
> A - Apache
> M - Most of our scripting languages begin with P
> P - and Postgresql 

I like that, very good... :)

Matt



More information about the Kent mailing list