I'm going to do a series on https://securinglaravel.com debunking the various "PHP and/or Laravel is Insecure" claims. Because they are getting pretty ridiculous... 😒
Please discuss the "function names are inconsistent" criticism.
People refer to it ALL the time. And yet there is a method to the madness (array functions are one way, string functions are another) and other languages have similar silly inconsistencies.
And the fact that it hasn't just been wholesale 'fixed' is a testament to backward compatibility considerations.
@syntaxseed@valorin Many of those functions are also just proxies to some underlying C function, and the parameter order and name were kept the same as in C, for familiarity.
@valorin If you can just communicate that "Laravel is not Wordpress" and "not all PHP projects are built the same", that's like 80% of the perception problem right now.
Wordpress is an unauthenticated remote shell that happens to have a CMS built in, but its popularity has shaped the overall impression of what PHP is, and it's the worst possible example from a system design standpoint.
@valorin Another common one is the politely-sanitized phrase "low barrier to entry", which in its truest form, is a kvetch that "any old riffraff can write PHP scripts and host them on free cPanel sites", and because it's "so easy", it's "inherently insecure" because anyone can write code in it.
Mostly I see this complaint from people who chose to start out on a really tough tech stack, and misattribute friction for good design.
I spent some time in the WP security space, so my urge is to defend WP core (it's the plugins and themes that are insecure), but you're definitely right that the perception of WP being insecure hangs around PHP quite significantly. Folks assume that WP is insecure because of PHP, which is absurd. 😔
@valorin I think to a lot of folks, the "it's the plugins" is a distinction without a difference: Wordpress, as a product/brand, promises a huge ecosystem of easily-installable third-party modules (arguably, the reason people use it at all), but unlike any other app store, don't take responsibility for the quality or security of those modules.
Wordpress the Core Codebase has very few CVEs, but Wordpress the Ecosystem is a nightmare, and the two are (arguably, correctly) conflated.
That said, WP's nature is very different from a commercial app store. But the difference is lost on users, much like the WP vs Plugins insecurity discussion.
@valorin it may be choir-preaching, but it never hurts to cover the basics like SQL injection protection, data validation, and how restful API keys work.
Add comment