PHP, security and the environment

This thread was split off from How to create a POS system

That’s quite the claim. Care to back that up? With actual sources please. Not anekdotes or legacy bashing.


Two examples demonstrated on this forum frequently.

Leaving database susceptible to SQL vulnerabilities in light of php making it so easy to do. Building very poor authentication solutions with outdated methodologies that easily be hacked.

Both seem to be inherit to the php community promoted by the natural ease of learning php.

Also php CMSs that still employee html rendering on the server are highly susceptible to defacement attacks.

Security is in direct opposition of php original intention to make it easy to learn and build sites.

Security is naturally an enemy of simplicity. For example, MFA isn’t as easy as a single password to authenticate. Professional software is developed with security at the front not ease of use.

Therefore, this endeavors natural fate is to be more susceptible to attack than modern alternatives.

Not to mention all those php servers constantly running contribute to the global climate crisis. Energy is a national security concern. More needs to be done for developers to take responsibility and correct their destruction of the environment. Those who use php are enemies of the environment and must be brought to light and held accountable for that assault on our most precious resources.

Never read such a nonsense before….

PHP is a Programming language. It is a basic tool to write applications like a hammer to build a house. If you use this tool correct it is as good or bad as all other tools.
If you can’t handle the tool you should use another one but that’s not the guilty of the tool itself but your incompetence.


It’s only none sense if you don’t understand that servers require energy to run and be on all the time. Hosting a php project with a traditional database is equivalent to leaving the lights on all the time and shower running all day every day. On a mass scale like millions of Wordpress websites that directly contribute to climate crisis. You are right though that this isn’t only a php problem but it is a global problem with inefficient technology solutions heavy on servers. Contribute to the crisis at your own risk especially as legislation begins to hold wasteful companies accountable. I’m preparing for a day when servers are regulated like drilling to combat the climate crisis. It’s not out of question in America and Europe’s clean energy initiative. If you run a php site with very little traffic you are wasting energy every second no one is accessing the site. If you run a php site with a lot of traffic you are consuming a lot of energy and contributing directly to the climate crisis. Developers can do better to protect the environment and take an active role in preservation efforts.

Examples are anecdotes. I asked for sources.

And I’d like to also see a source that PHP is actively harming the environment, more so than any other language. Without any sources that’s just an opinion.


Actually, Rasmus has already addressed this issue. I’ve timestamped the Youtube video. Majority of servers should really be running PHP 8. If not, at least the last supported PHP 7 and even then, you should really be upgrading to PHP 8 since PHP 7 is no longer supported.

Actually, no. That’s factually incorrect. Majority of the PHP community actually dislikes legacy codes. I don’t know about other forums, but the people in this forum strongly and I don’t mean that lightly in any way, strongly discourages the use of legacy and unsafe codes. We tend to tell the members of this community to use modern code.

Also to that fact, poorly implemented systems can be written on any programming language. It isn’t just a PHP thing. I’ve always preached this day in and day out, security is a universal thing. It’s not just a PHP thing. You can write poorly implemented systems in C#, Java, NodeJS, C++,. Python, Ruby, etc. All you just need to do is have 1 little slip up and you’ve compromised the entire system. Is that so different from your claim of PHP? Not really. It’s all the same. I can easily write a poorly implemented login system in say C# or even in Python.

Do you remember the Iowa caucus app back 2 years ago? It was apparently supposed to give people with mobile phones the ability to sign up and vote and the ability to see how many votes there were for running candidates. Guess what? The app broke and everyone thought Pete Buttigieg rigged the numbers. Nope, a lot of software developers started pin pointing it and everyone was saying it was due to a single if statement being poorly written. Guess what language that app was written in? Definitely wasn’t PHP if you have to install the app on your mobile phone. That’s right, it was written in Python.

Here’s an article on that failure.

So realistically, what you’re complaining about isn’t the language itself, but the people who don’t care about using modern technology.


Using technology from before the 1980 is much more safe then all the modern technologies :smiley:


But to be honest…

The risk of having an security issue raises with the usage of new Technologie. why do you think does the engineering of airbus still use an more then 20 years old version of VxWorks? Because this is a validated version which has been tested and approved for many years.

At the end it’s a choice between pest and cholera. Take the newest versions and hope they are bug free or take the old ones and hope no one will ever find a leak in it if there is any.

I don’t go with you if you say in general, taking the newest and moderns technologies is the securest way

1 Like