php from the point of view of a webhoster
TRANSCRIPT
point of view of a webhoster
speaking @webilea
About me
Working @cyon since early 2008
Developer and #devops
Study computer science at Uni Basel
Linux user
mod_rewrite guru
NBA Jam addicted
Overview
PHP in 20 seconds
Why so famous?
PHP on a server
Security
Worries and concerns
Summary / Q&A
PHP in 20 seconds
Scripting language on server side or as cli
Introduced in 1995PHP4 2000 -> Zend Engine 1.0
PHP5 2004 -> OOP, PDO, JSON, performance
PHP5.3 2009 -> namespaces, closures, LSB, ...
Dynamic typing
Stream, Session, DB access, image processing, ...
Arrays in PHP are the sets and maps of java
Why so famous?
Approx. 30% in scripting languages
http://phpadvent.org/2010/usage-statistics-by-ilia-alshanetsky
Meine eigene Auffassung, nicht unbedingt korrekt.
Why so famous? #2
It's easy, cheap and stable
Lamp stack (Linux Apache Mysql PHP)
Steep learning curve (gains diversity)
Community
Libraries and ready to use apps
Community -> Niveau ist eher im unteren Bereich, Einsteiger helfen Einsteiger. Umgangston nicht immer toll.
PHP on a server
Mod_phpFastCGICGI
WebApache Modulegatewaybinary
ProcessApache processphp-cgiphp-cgi
ConfigurationApache conf fileswrapperphp.ini
UserApache userShell user or suexec usersuphp
PHP on a server #2
Apache and PHP CGI
Multiple PHP versions
Self compiled PHP version (make install)
Control over php.ini
PEAR and PECL installed
Selber kompilieren, weil Distros langsam sind mit PHP release.cyon ist ein SharedhosterErwartungen der Kunden
Security
Long history of failsregister_globals
Safe Mode (deprecated in PHP 5.3)
SQL Injection
Cross-site scripting (XSS)
Plugin code quality (Wordpress, Joomla, ...)
FTP with plain authentication
Security #2
suhosin patch (hardened-php.net) and suPHP
Disabling Functionality
Preventing information disclosure (display_errors)
Restricting Includes
Restrict File Uploads
Mod_security (false positive)
Check file permission
Worries and concerns
No opcode caching
App monster like typo3 or magento
- The monster
6337 files.php 1246
.gif 3040
Peak up to 128Mb per request
Very complexA lot of options to mess with
Worries and concerns
No opcode caching
App monster like typo3 or magento
mod_rewrite voodoo
PHP5.3 -> lot of deprecated functions
Developers want *bling bling*
My website is hacked what now?
Worries and concerns #2
Worked on my local maschine!
No clearing of cached files
Updates - never touch a running system
Store files in database
Corrupted databases
Autoupdates helpes a lot (wordpress)
Summary
PHP has a lot to oer feature-wise
PHP is highly exible & congurable
Actracts wide range of users
Lots of abuse cases are PHP related, but thats not the fault of PHP
Scaling is limited (left out due time limit)
Q&A