PHP is apparently un-secure compared to other technologies where backend files don’t live in the webroot?

Viewing 15 posts - 1 through 15 (of 36 total)
  • Author
  • #1874

    I just had a discussion with my teacher (who by the way has years of experience with [](, Python, Django, PHP, Java and C++) about PHP and he mentioned and tried to explain why PHP is a un-secure architecture because it’s mainly designed that the files live in the webroot.

    On one side, i get him – php is the only technology that does this by default – but on the other hand i don’t understand his concerns. If it really was **such a big** issue, why is php then still on the market?
    PHP files and the `<?php` blocks are only executed server side – so why would he state or assume this?

    ### Edit
    Based on the comments, here is more context.

    I discusses with him about a php app that I might plan to build and he came up with the statement that php is not that secure because all files live inside the webroot. The teachers latest projects consisted of e.g. Django where the application lies behind a proxy server. This, however, is also possible with php to serve the files behind a nginx proxy server.

    When asking him why he made that statement, he commented that php is a old and badly architectured technology. It was a quick and dirt cheap solution back in the days to create websites compared to Microsoft solutions.

    After that, we stopped discussing about it.

    ### Edit Edit
    I didn’t expect this post to gain so much traction. I mainly agree with you all that php is a secure language, otherwise why would it still be around (which is my main argument while only having basic knowledge of the things you pointed here out)? With more than 150 comments, I read most of them but only replied to few of them. Thanks for all your inputs tho 🙂


    Like many teachers in this field, their knowledge is extremely outdated at best.


    Because they are a teacher, they likely haven’t played a big role in the industry in the past few years and their perspective is probably outdated. This is one of the problems with career teachers that teach technology. The technology moves too quickly for them to be able to keep up with.


    > php is the only technology that does this by default

    This has nothing to do with PHP. It’s about the configuration of web servers and the app frameworks.

    To give some examples:

    – years ago it could happen that after an update Apache served PHP files as plain text (thus, exposed the sources), this happened when it ‘loosed’ track of mime types (or some other wanky settings)
    – many PHP apps kept their source files in web root and “secured” them using the `defined(‘FOO’) or die()` statement
    – currently, most of the frameworks keep their source files outside of the web root. There’s no way one could access them unless there’s a bug in the software.


    **Nobody** does that anymore, unless they’re really incompetent. Every modern application will have a single index.php in the webroot and that’s it.


    With the greatest respect to you teacher’s years of experience, this is nonsense.

    There’s nothing implicitly insecure about storing files in the root of your web server directory.

    The insecure thing would be to have the *source* of those files exposed to the outside world. Any files ending in `.php` will not, on a properly-configured web server, expose their source to the world.


    There’s one unique vector of attack that having your code in the webroot opens up: A failure in the web server (either a misconfiguration, or causing the server to misapply its configuration. This predicates on things outside the attacker’s control and all web runtimes have this problem even if the specific vector doesn’t involve webroot attacks.

    Basically; your teacher isn’t very good at their job. Insist that they back up their claim with specifics.


    Twenty years ago, the standard PHP app would have a file structure like this:


    When a user loaded `` in the browser, then the webserver (usually Apache) would load and execute `pictures.php`. So each page on your website would have a different PHP file. This was indeed a problem for a few reasons:

    * it tightly coupled your file structure with your websites URLs
    * it exposed a lot of information insecurely
    * if an attacker could upload a PHP file to your web folder, they could execute it
    * files tended to get into a bit of a mess – it was impossible to follow SOLID principles, for example

    However, modern frameworks use the “front controller” pattern, so your file structure looks like this instead:

    /public/index.php <– the ‘front controller’

    When a user loads `` in the browser, it first executes `index.php`, which then loads `Pictures.php`. The webserver would be able to execute only files in the `public` directory. This is more secure, more flexible, and easier to test and architect.

    A lot of codebases do still use the old way of doing things. Some of those codebases are hopelessly insecure, but some (e.g. WordPress) achieve the same goals in different ways.


    >has years of experience with, Python, Django, PHP, Java and C++)

    This is the answer; working on so many things means he doesn’t know any one of them correctly.

    Also; years is irrelevant. Most people stop learning after some level and just keep doing same thing they did in (for example) first year. So when someone repeats that 10 times, it is far from person who kept learning for 10 years.


    If possible, replace teacher with someone more competent. It is obvious you will not learn anything from that guy. This is literally the most basic knowledge and he failed that.


    Your teacher has vastly outdated knowledge. Please have him install larval or symfony and then explain what he thinks.


    Ask him how he feels about viewstate or their new database application layer every other year, I swear Microsoft for the first 15 years really fucked up the mindset of web developers using their stack. How about those websites that asked the end user to download activex components anyone remember those? Should we all be judging the .net platform based on how it behaved in 2003? Do we want to talk about the trail of millions of unpatched java implementations? Django is a framework, compare it to Laravel not base php.

    Honestly this guy may know his stuff (I doubt it though) but it very much sounds like he is completely ignorant when it comes to stacks that are not his own.

    > On one side, i get him – php is the only technology that does this by default

    no it really is not.


    Your teacher is wrong.

    >php is the only technology that does this by default

    You are wrong too.

    You can also misuse Ruby, Node, Java and so on, this is not a specific trait of PHP and depends highly on the framework.

    What many people get wrong is they confuse framework-less PHP with sophisticated Ruby/Node/Whatever frameworks and compare apples and oranges or put WordPress on the same level as framework $theLatestShit — which also is comparing apples and oranges because WordPress’ architecture is horribly outdated.


    insecure? “lacking in security”

    In order for front end to communicate with backend something has to be accessible, PHP isn’t magically less secure because it has <?php echo date(‘Y’); ?> within some html page (just for example)

    I don’t think he fully understood something he read, and tried to argue it’s points incorrectly is me giving him benefit of the doubt.


    Those who can, do.

    Those who can’t, teach.


    What your teacher says is probably valid 10 years ago, but ever since Composer, FIG, and modern practices came to mainstream PHP developer, this web root story is not really anymore valid.

    Most applications nowadays only have one index.php file with a require call to a bootstrap file outside the web root. No more htavvess trickery or WordPress-esque “silence is golden” comments.

Viewing 15 posts - 1 through 15 (of 36 total)
  • You must be logged in to reply to this topic.