Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112831 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 28528 invoked from network); 10 Jan 2021 15:34:13 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 10 Jan 2021 15:34:13 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8A3DD1804DD for ; Sun, 10 Jan 2021 07:11:42 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 10 Jan 2021 07:11:41 -0800 (PST) Received: by mail-ot1-f44.google.com with SMTP id r9so14467451otk.11 for ; Sun, 10 Jan 2021 07:11:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ELx//oxmP2dIaTuWgWR9At32snJHMh5Zi31dqGflMTI=; b=M5k4GLfD2IWeiS1tSdNDMOcDma+Rn3D8aAqnpi2k7H0QaD5F2i61baBylNT76afeH4 T3cxSY/Wc17JkPOJXBbUxZNZPZ96wOuBQFmBaISBiTF+rgTQeabNtBWR+MYdbC8AxP7U rE0u23x/qeV549F0kgowctmsl0KJd+fcz4n8k/X9CdrrjpoXD3RTE3pDNDhpLaV+GJHa JJXfGc1Bm5Ci2+prhsbnBOb21R1tbkCIm2pvuRUubBi88lEhUPHnK09oTQa7r51ksq0O eWog5nED54sMW6Oi2pNlSs6b8jX98hH4r8eobtzcIPWlMeJypFV8v2/AWMgICZ9+ZiYK sfWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ELx//oxmP2dIaTuWgWR9At32snJHMh5Zi31dqGflMTI=; b=APypMIwQSsZhTE8ljMXy65eDKXizK18kHljproCRTd2G9U4veiKOHKlChPFoWdmZAZ l6TXgNF4UsJ0aRDaHJJKKYknDlra3O7M30wtf0vpTJaUiZxu6UwXTVenn6pssZO1KG3i GTsrL7Wjd2pLBhuN7TZlO4uMMu7zTiVs6MLpI+OgBbfTW9XtdmvTDR3d0uQpj5+yU8Qc l7wpxrju97eJXsX41Wmy1vbCVzeV86lT6rQokVXmnxloihRd0Dnx9gbMRwJz0XWlsnL7 LEuoiQFmOvwwl/1Y005Dfz9/1rOAPWCa5FeI+fnoDW+axFiPmytQBzXHsxgQ8XLtFcqW KBfQ== X-Gm-Message-State: AOAM531xaY3zfwJcA7PVda/fw22s1rdGXGjguz/D0VcoV74iOItWD4O5 iIgvCjyMhcw7jfyKtZl0UCU5Jx3MtMsXffRSnjmco6z70uw= X-Google-Smtp-Source: ABdhPJyJrwsXPlw8Bm1DHvAambMHMe0V4IJfKLEQKxvJCkgmRnQT0GatSZeE47lKNArN4esITTL4j4ZSw6fHidYtgCg= X-Received: by 2002:a9d:c01:: with SMTP id 1mr8390327otr.107.1610291497273; Sun, 10 Jan 2021 07:11:37 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Sun, 10 Jan 2021 09:11:26 -0600 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="000000000000ae0de205b88d3432" Subject: Re: [PHP-DEV] silly question : what is more secure at the moment, php7, php8, or plain .sh shell scripts? From: tendoaki@gmail.com (Michael Morris) --000000000000ae0de205b88d3432 Content-Type: text/plain; charset="UTF-8" The most secure setup possible is to use a static site generator and upload it's output to a static server with no server side parsing enabled. In my opinion Hugo is the best of these which is written in Go, and that's it's largest drawback - written in a language I'm not too familiar with. Jigsaw is a PHP implementation of the same concept, but I haven't had a chance to try it out. There are a lot of sites out there using WordPress and Drupal which are so small and so infrequently uploaded that, frankly, the owners could do themselves a huge favor by switching over. If your problem scope still requires server side scripting you'd be better served leaving the server security to the experts. Look into AWS, Microsoft's Azure at a start, and there are also more PHP centric providers like Aquina or Pantheon. Owning and managing the silicon directly isn't advised anymore and hasn't been common practice for at least a decade. On Sun, Jan 10, 2021 at 2:10 AM Rene Veerman < rene.veerman.netherlands@gmail.com> wrote: > hi. > > i run a website which i want to harden against hacking by 3rd parties. > > i wrote this website back in 2002-2010, and then built apps on top of the > base code. > > now i want to upgrade the entire thing to the latest css3 standards and > also include anti-hacking measures, because at one point i got kicked off > the internet by my ISP because they detected the thing had indeed been > hacked, and someone installed phishing software on my site. > > i want to employ cron jobs that run regularly, to do checksum testing of > vital parts of my operating system. > > ideally, i could have a script run indefinitely or every 2 seconds, as > root, from cron, to test for changes to my filesystem (well, the part that > is governed by Directory section in > /etc/apache2/sites-enabled/001-localhost.conf) and vital OS config files. > but i do wonder if this is going to wear out the SSD where the OS and > webserver files are stored on. > and i wonder if i should be writing this script as some sort of shell > script (bash? /bin/sh? i dunno (i run ubuntu 20.04)), or if i could be > using the convenient php for it. > > and i would like to know if as far as exploits go, it's better to stay > (currently) on php7.4, or move my entire setup to php8. > > thanks for your attention and any help you might provide me. :) > --000000000000ae0de205b88d3432--