Slashdot Mirror

Banshee was built to be secure. And because complexity is the enemy, it's small and easy. That led to a very fast framework. But despite of being small, it has many features, like weblog, a forum, newsletter, photo album and basic webshop functionality and libraries for databases, e-mail, HTTP, logfiles, etc. Worth giving it a shot.

A language is just a language. It's the developer who makes code crap or good. It's very easy to start developing with PHP. Because of that, many young and unexperienced developers use PHP. That and only that is the reason why so much PHP code is crap. It has nothing to do with the language itself. With PHP, it's very well possible to write good, solid, fast and secure webapplications. You want proof? Check out the Banshee PHP framework.

Try this one.

I think that most frameworks and CMS's don't provide the right security that is needed to create a secure website. They offer protection against SQL injection, XSS and other common attacks, but don't provide a means for developers to make sure they used it correctly. Look at all the Wordpress plugins that keep on being vulnerable. How do you know a plugin is secure or not? In my opinion, there is a big difference between secure code and provable secure code. So, it's not only web developers making the same mistake. It's also frameworks and CMS's not providing a true secure base.

In the framework I make, I always keep in mind that some other developer will use my code to build an actual website. How will that developer use it? How to make sure that developer uses it correctly? Whenever possible, I make sure that things are secure and restricted. If you want to do things that are potentially insecure, you have to disable certain security checks. For example, all output is escaped to prevent XSS. If you really want to output HTML, you have to disable the escaping. My framework comes with a script that performs a security audit for common errors. I really think that my framework is the most secure available and it's very hard to build something insecure with it that is hard to detect.

How about the Banshee PHP CMF?

Yeah... you may want to start scrolling down the Google images of Banshee and look up CMF (see definition 2 and my humble apologies in advance) before you recommend this to your boss as a safe substitute for Drupal.

I know some people might argue that this is an unfair generalization from one developer to the whole project; that Drupal insn't entirely about screwing you in gratuitous and unpleasant ways you can't escape from. Oh, who's kidding -- this was their plan all along.

How about the Banshee PHP CMF?

Having PHP on a server means it will get owned.

I'm using PHP for many years, got a lot of hack attempts, but never got owned. So, give me your best shot.

Banshee for sure!

PHP is not the issue. Yes, it's an easy language which draws a lot of noobish programmers. But it's not hard to make a secure website with PHP. Take a look at this framework for example.

It's more of a CMF (Content Management Framework) than a CMS, but I think nothing beats Banshee. It's secure, fast, small (therefore easy to learn) and has many ready to use modules. It has a clear MVC structure, so changing or extending the code is easy.

No one is capable of securing Wordpress. On the other hand, there are other CMSes out there that don't need special attention to make them secure.

Name a better CMS.

The Banshee Content Management Framework.

Well, than hack one of my websites. Fail, and you're nothing but a loudmouth kiddo.

And also too easy to do it right.

PHP has nothing to do with it. PHP is just as secure / insecure as any other language. It's the fact that PHP is easy to learn, easy to use and easy to deploy that attracts many people, including noobs. It's the noobs that cause the problems.

To prove that PHP can be used to create a rock solid and secure website, take a look at the Banshee PHP Content Management Framework. I dare you to try it. You will be suprised by its security, flexibility, easiness and speed.

Banshee

Banshee

This endless PHP bashing is getting a bit sad. Sure, earlier versions of PHP did have some bad things, but with PHP 5 it's very easy to create solid applications. You still may not like PHP, that's fine. In that case the only wise thing to do is to choose something else. But for any badly written application in PHP 5 I'm 100% sure that the programmer is to blame, not the language. Yes, looking at all the other modern programming languages these days, that I think that's the case for all of them. But PHP 5 is a modern and mature programmming language and has everything you need to write a modern web application. It can easily compete with the others.

To all those PHP-haters: bash and whine whatever you like. The world doesn't care. Look at the statistics: PHP is used much by many. It's here to stay. Grow up and move on.

Myself, I use PHP a lot. I've written my own framework. I really like PHP, because it's easy to use and specially because it's so easy to deploy. Easier than many other languages. I'm really looking forward to what PHP 7 has to offer.

I'm talking about the Banshee PHP framework. I'm open to feedback. But when I get the usual vague claims about issues without any proof or pointless flaming about how it's not anything like Wordpress, then I'm out.

He uses the Banshee PHP framework.

As the author of an open source webserver, I must say that I'm not really happy with HTTP/2. It adds a lot of extra complexity to the server side of the protocol. And all sorts of ugly and nasty things in HTTP/1 (too much work to go into that right now) have not been fixed.

What I have experienced is that SPDY (and therefor also HTTP/2) will only offer more speed if you are Google or are like Google. Multiplexing doesn't offer that much speed increase as some people would like you to believe. Often, the content of a website is located on multiple systems (pictures, advertisements, etc), which still requires that the browser uses more than one connection, even with HTTP/2. Also, HTTP/1 already allows a browser to send multiple requests without waiting for the response of the previous request. This is called request pipelining, but is turned off by default in most browsers. What I also often see is that a browser makes a first request (often for a CGI script) and the following requests (for the images, JS, CSS, etc) are never made due to browser caching. So, to me HTTP/2 adds a lot of complexity with almost no benefits in return.

Then why do we have HTTP/2? Well, because it's good for Google. They have all the content for their websites on their own servers. Because IETF failed to come up with a HTTP/2 proposal, a commercial company (Google in this case) used that to take control. HTTP/2 is in fact a protocol by Google, for Google.

In my experience, you are far better off with smart caching. With that, you will be able to get far better speed-increase results than HTTP/2 will ever offer. Specially if you use a framework that communicates directly with the webserver about this (like I did with my PHP framework). You will be able to get hundreds to thousands requests per second for a CGI script instead of a few tens of requests. This is a speed increase that HTTP/2 will never offer.

I think this is a failed change to do it right. HTTP is just like SMTP and FTP one of those ancient protocols. In the last 20 years, a lot has changed. HTTP/1 worked fine for those years. But for where the internet is headed, we need something new. Something completely new and not a HTTP/1 patch.

Symfony, Drupal, Wordpress, nah. They all forgot to include the most important thing in the base: security. Specially Wordpress, look at its spaghetti code and than look at the Banshee PHP framework. If you understand what that framework does for security, you'll never dare to run Wordpress or the other junk frameworks again.

PHP done right. I challenge you to find a security leak.

What a cheap flame. And how not original. And you're wrong. SQL injections can be done with every language. To solve this, all it takes is a programmer who understands what he's doing and knows about a vulnerability that has been known for about 20 years and for which there is NO excuse for not knowing it.

It's not really hard do to it right, even in PHP. And there is a simple proof for that.

You might want to take a look how the Banshee PHP framework deals with SQL. With its SQL driver and the security_audit script, it's really hard to have an SQL injection error in your code.

That's good for you, but it's still an opinion. I don't think that PHP works against the programmer. Talking about Django, I don't like it. I've takens a look at it, but I think it's too much hustle to get a simple website running. I've created my own framework, the Banshee PHP framework. It's fast, secure and easy to use. The websites you can make with Banshee are just as good as the one you can make with Django.

Don't focus on a language only. Also look at a good framework. My advice is the Banshee PHP framework. It mainly focuses on security, which is the only important thing these days. I know this will be seen as spam, but do yourself a favor and just take a look at it for 15 minutes.

A very good part: Banshee PHP framework.

I know this post will be flagged as spam. But if you like PHP, I challenge you to give this framework a try. At least take a look at the online demo.

A very good part: Banshee PHP framework.

I know this post will be flagged as spam. But if you like PHP, I challenge you to give this framework a try. At least take a look at the online demo.

Taken a quick view at Laravel, it's again a framework like one in a dozen.

All such PHP projects can be divided into to groups: frameworks and CMS-es. A big problem with all those PHP frameworks is that you have to write stuff like user administration, authentication, static pages from the database, etc yourself. In my opinion, in many cases the MVC architecture is not implemented in a clean way and it's often too complex to translate an URL to an actual file on disk.

A big problem with most CMS-es (like Wordpress, Joomla and TYPO3) is that it's one big chunk of code. There is no clear separate framework layer. It's quite a torture to add or change functionality by writing code. And don't even get me started about security!

That's why I wrote the Banshee PHP framework. Clear MVC implementation, easy routing, strong focus on security and clear separation between framework layer and CMS. Clear the controller, model, view and css directory and what's left is the framework. Although I call it a framework, it's more of a framework / CMS hybrid.

It is not my intention to spam about my framework, but I realize this post can be seen as such. Sorry for that. I only want PHP developers to know there is more than those minimalist frameworks or bloated CMS-es.

Wordpress 'clean'?? Seriously??

The only place where I use Wordpress is in my 'Secure Web Progamming' course. Wordpress is a beautiful example of how NOT to write your code. It has no MVC structure and has no single entry-point. The Wordpress developers probably never heard of functions, because every file is one big piece of lineair code. It offers no secure API for plugins, hence the very long list of insecure plugins. Wordpress is nothing more than a piece of junk that should be avoided by EVERYONE!

You want a good example of a secure, clean and solid PHP framework? Try Banshee.

Use the Banshee PHP framework on the Hiawatha webserver. Both have a strong focus on security and offer good speed. Use stuff like Drupal, Joomla and Concrete5 if you want your website to be extremely slow. Use Wordpress if you want guarantee to be hacked.