PHP and MySQL are this generation’s BASIC, the language that was described thusly by the Free Online Dictionary of Computing
BASIC has become the leading cause of brain-damage in proto-hackers. This is another case (like Pascal) of the cascading lossage that happens when a language deliberately designed as an educational toy gets taken too seriously. A novice can write short BASIC programs (on the order of 10-20 lines) very easily; writing anything longer is (a) very painful, and (b) encourages bad habits that will make it harder to use more powerful languages well. This wouldn’t be so bad if historical accidents hadn’t made BASIC so common on low-end micros. As it is, it ruins thousands of potential wizards a year. [ed — possibly mis-attributed quote. ]
I’m not going to comment on code. We have coders here who love PHP and those who don’t. .
But focusing on the security perspective, LAMP can be a deadly combination. Let’s face it: People get sloppy with security policies for Apache, MySQL and PHP. I can’t believe the amount of crap I see out there that’s only in existence because of loose security and poor (or more likely, non-existent) patching practices.
We use PHP ourselves in our beta forums. But it gets tiring dealing with open source in a commercial environment. PHP is routinely exploited and we have to constantly stay on top of our code to keep it updated and secure.
I do understand the other side — so many people have gotten their start with some quick PHP scripts and MySQL. Look at Paul Laudanski at CastleCops and Suzie Turner at SpywareWarrior — both have created robust, highly secure PHP-based sites (and in the case of Paul, he’s admirably stretched MySQL to its absolute limits).
And, yes, any language can be mis-used and exploited.
So before the comment storm starts, I am not bashing Perl, Python or PHP. I’m not bashing Apache (well, not really…). And dear God, I’m not bashing Linux, or else I know that my website will be blown up by Microsoft-hating vigilantes.
It’s just like this: Like any tools (including, umm, chainsaws), one has to know how to use them and be responsible for their use.
I’ve seen way, way too many hacked Apache servers not to say something.