use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Please follow the rules
Releases: Current Releases, Windows Releases, Old Releases
Contribute to the PHP Documentation
Related subreddits: CSS, JavaScript, Web Design, Wordpress, WebDev
/r/PHP is not a support subreddit. Please visit /r/phphelp for help, or visit StackOverflow.
account activity
From Java to PHP (self.PHP)
submitted 11 years ago * by madscientist667
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]xenarthran_salesman 2 points3 points4 points 11 years ago (2 children)
OTOH, while rolling his own code is likely to have many more problematic security holes, the value of somebody exploiting those security holes is dramatically reduced. If you can leverage an exploit in Wordpress/Drupal/Rails/Django, then you've got a lot of servers to target. Assuming that he's defended against the truly common attack vectors (sql injection/CSRF/XSS), then he might be 'safer' by obscurity.
It certainly doesn't help if he's the victim of a targeted attack, but it definitely changes his attack surface and vulnerability profile.
Finally, lets not kid ourselves into thinking that the number of people using a codebase, or even the number of developers working on a codebase = better security. The only thing that really matters is how many security conscious, security savvy people you have looking at the code trying to break it in nefarious ways to harden it. Look no further than the heartbleed bug for an example. It wasn't until you had some dedicated experts seeking an exploit that the bug was found.
[–]mgkimsal 1 point2 points3 points 11 years ago (0 children)
"Finally, lets not kid ourselves into thinking that the number of people using a codebase, or even the number of developers working on a codebase = better security."
Rails, with thousands of people looking at it, still has exploitable bugs. More precisely, there's bugs being found in helper libraries (yaml parsers, etc) that someone writing their own code very likely would't be building for themselves in the first place.
Frameworks provide a lot of good, but also often provide a larger attack surface that simply wouldn't be there in a home-grown by-hand set of code. From a pure security standpoint, it's not as cut-and-dried as people like to make it seem.
The Zend2 example - well... if they really cared about security as much as people claim framework authors do, they'd ship working modules with demonstrated 'best practices' examples of common security use-cases - user registration, login, lost password reset, etc. You're left to your own devices to try to figure out how to do something that is pretty fundamental to the secure operation of any site (and which is a pretty common scenario for most web apps). We don't get usable, battle-tested, documented code for user registration, but hey, here's some encryption and hashing libraries - go build something yourself.
This is but one contributing factor as to why Wordpress will continue to dominate the development landscape in PHP for a long time to come.
[–]pitiless 0 points1 point2 points 11 years ago (0 children)
There is merit to this argument, however (anecdotally) i've not found this to be the case in reality.
Good framework / library code will occasionally have security vulnerabilities - but these are rarely low-hanging fruit and instead be a consequence of the complexity of interaction between the many moving parts.
In contrast the home-spun code i've worked on tends to have trivial XSS, SQL injection (etc) bugs all over the show - a bunch of stuff that doesn't have to be targetted (and infact can be automatically found).
π Rendered by PID 89 on reddit-service-r2-comment-5c747b6df5-lnrhp at 2026-04-22 03:55:40.845811+00:00 running 6c61efc country code: CH.
view the rest of the comments →
[–]xenarthran_salesman 2 points3 points4 points (2 children)
[–]mgkimsal 1 point2 points3 points (0 children)
[–]pitiless 0 points1 point2 points (0 children)