Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.php > #19611 > unrolled thread
| Started by | ^Bart <none@none.it> |
|---|---|
| First post | 2026-02-24 09:41 +0100 |
| Last post | 2026-03-07 13:19 +0100 |
| Articles | 6 — 4 participants |
Back to article view | Back to comp.lang.php
New php project from scractch, PDO or psycopg? ^Bart <none@none.it> - 2026-02-24 09:41 +0100
Re: New php project from scractch, PDO or psycopg? Arne Vajhøj <arne@vajhoej.dk> - 2026-02-24 07:40 -0500
Re: New php project from scractch, PDO or psycopg? "J.O. Aho" <user@example.net> - 2026-02-24 15:39 +0100
Re: New PHP project from scratch, PDO or psycopg? Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-02-24 20:29 +0000
Re: New php project from scractch, PDO or psycopg? ^Bart <none@none.it> - 2026-03-07 11:17 +0100
Re: New php project from scractch, PDO "J.O. Aho" <user@example.net> - 2026-03-07 13:19 +0100
| From | ^Bart <none@none.it> |
|---|---|
| Date | 2026-02-24 09:41 +0100 |
| Subject | New php project from scractch, PDO or psycopg? |
| Message-ID | <10njo8g$3n983$2@dont-email.me> |
Hello everyone, I work in a company 100% unix like, we don't have MS o.s., and our framework works with psycopg on debian13+venv. I'm working to a personal cms written from scratch alwasy on debian13 with php8.4, postgresql18 and nginx, now I'm using psycopg so I have a different user for the php and another one for the venv etc. I heard psycopg for security reasons and also for the performance is better than pdo, tell me what do you think about it! :) ^Bart
[toc] | [next] | [standalone]
| From | Arne Vajhøj <arne@vajhoej.dk> |
|---|---|
| Date | 2026-02-24 07:40 -0500 |
| Message-ID | <10nk67t$3rtf3$1@dont-email.me> |
| In reply to | #19611 |
On 2/24/2026 3:41 AM, ^Bart wrote: > I work in a company 100% unix like, we don't have MS o.s., and our > framework works with psycopg on debian13+venv. > > I'm working to a personal cms written from scratch alwasy on debian13 > with php8.4, postgresql18 and nginx, now I'm using psycopg so I have a > different user for the php and another one for the venv etc. > > I heard psycopg for security reasons and also for the performance is > better than pdo, tell me what do you think about it! :) psycopg is Python not PHP. Do you mean PDO or pgsql?? Arne
[toc] | [prev] | [next] | [standalone]
| From | "J.O. Aho" <user@example.net> |
|---|---|
| Date | 2026-02-24 15:39 +0100 |
| Message-ID | <n05rh8Fkfm1U1@mid.individual.net> |
| In reply to | #19611 |
On 24/02/2026 09.41, ^Bart wrote: > I work in a company 100% unix like, we don't have MS o.s., and our > framework works with psycopg on debian13+venv. > > I'm working to a personal cms written from scratch alwasy on debian13 > with php8.4, postgresql18 and nginx, now I'm using psycopg so I have a > different user for the php and another one for the venv etc. > > I heard psycopg for security reasons and also for the performance is > better than pdo, tell me what do you think about it! :) I think this is more about layering the application, the frontend I guess is written in PHP while the backend is written in Python. I would keep that separation and only allow the backend to access the database, also keep it on a such level that the backend don't trust the data from the frontend, that all data is validated before use, sure the frontend shouldn't trust the users and validate their input. Sure you could have been able to write everything in one or the other language (python can do both frontend and backend, as you can do with php too even less common), but I doubt you have the power to decide this. -- //Aho
[toc] | [prev] | [next] | [standalone]
| From | Lawrence D’Oliveiro <ldo@nz.invalid> |
|---|---|
| Date | 2026-02-24 20:29 +0000 |
| Subject | Re: New PHP project from scratch, PDO or psycopg? |
| Message-ID | <10nl1mf$6bih$2@dont-email.me> |
| In reply to | #19613 |
On Tue, 24 Feb 2026 15:39:36 +0100, J.O. Aho wrote: > Sure you could have been able to write everything in one or the > other language (python can do both frontend and backend, as you can > do with php too even less common), but I doubt you have the power to > decide this. You could make the case to your PHP-loving PHBs to write the whole thing in Python on the basis that it is a more sophisticated language, with built-in support for async/await, advanced libraries for convenient access to WebSocket functionality etc. And it doesn’t need to run as a module in a web server.
[toc] | [prev] | [next] | [standalone]
| From | ^Bart <none@none.it> |
|---|---|
| Date | 2026-03-07 11:17 +0100 |
| Message-ID | <10ogu0k$1ekv9$1@dont-email.me> |
| In reply to | #19613 |
Thanks for your reply! :) > I think this is more about layering the application, the frontend I > guess is written in PHP while the backend is written in Python. Frontend and backend (the admin backpanel) are written in php and I think I understood I should use PDO... > I would keep that separation and only allow the backend to access the database, > also keep it on a such level that the backend don't trust the data from > the frontend, that all data is validated before use, sure the frontend > shouldn't trust the users and validate their input. I need to know how to plan my project to improve security, my website and mobile app will be like a social network, I'll have (I hope!) a lot of users which will have their data showed on the frontpanel and a backpanel where the admin will manage all data and "power users" a piece of data. > Sure you could have been able to write everything in one or the other > language (python can do both frontend and backend, as you can do with > php too even less common), but I doubt you have the power to decide this. Now I'm writing the project in my free time and I can do everything but I'd like to do the best things for security, I'm a Unix like users from 1996, I use Debian from 2003 and also Kali for pentest. > -- > //Aho ^Bart
[toc] | [prev] | [next] | [standalone]
| From | "J.O. Aho" <user@example.net> |
|---|---|
| Date | 2026-03-07 13:19 +0100 |
| Subject | Re: New php project from scractch, PDO |
| Message-ID | <n12jf6F74pdU1@mid.individual.net> |
| In reply to | #19615 |
On 07/03/2026 11.17, ^Bart wrote: > > Thanks for your reply! :) > >> I think this is more about layering the application, the frontend I >> guess is written in PHP while the backend is written in Python. > > Frontend and backend (the admin backpanel) are written in php and I > think I understood I should use PDO... As this ain't anymore about python, remove that part in the subject and crossposting to python newsgroup. >> I would keep that separation and only allow the backend to access the >> database, also keep it on a such level that the backend don't trust >> the data from the frontend, that all data is validated before use, >> sure the frontend shouldn't trust the users and validate their input. > > I need to know how to plan my project to improve security, my website > and mobile app will be like a social network, I'll have (I hope!) a lot > of users which will have their data showed on the frontpanel and a > backpanel where the admin will manage all data and "power users" a piece > of data. Keep in mind backoffice part (what the admin uses) ain't the same as backend, backend is tend to be a "service" which talks with the database layer, sanitize the data from front end before making queries to the database, filters/reformat the data to something easier to handle by the front end. If things goes wrong the backend will send error message that don't leak details of the fault (log it to disk or remote log server). When using input, use PDO::prepare as this will help on with the risk of SQL injection. The two frontends (client site and backoffice) will send requests to the backend to fetch the data it needs, sure the data should be validated before sending to the backend. Display somewhat generic error messages if backend says things went wrong. Don't forget to verify that the request to the backend is always done by an authenticated and authorized user. Passwords should always be hashed with a "random" salt, do have a a length requirement on the password, as length tend in the end what makes the difference on brute force attacks. Keep in mind that you don't have to build your own verification/sanitation for everything, a lot of things are already built in into PHP, you can use filter_var. >> Sure you could have been able to write everything in one or the other >> language (python can do both frontend and backend, as you can do with >> php too even less common), but I doubt you have the power to decide this. > > Now I'm writing the project in my free time and I can do everything but > I'd like to do the best things for security, I'm a Unix like users from > 1996, I use Debian from 2003 and also Kali for pentest. If you feel uncertain with security, you could try out OWASP Top 10 The Game https://top10thegame.org/en/ You have also this interactive site based on the above game https://www.opensecproject.com For the project itself I would go with the Cornucopia https://cornucopia.owasp.org Don't forget using something like phpunit to have unitests, this way when you do a change you can easily see that the change don't break expected results. Also it can be good to unitest the database procedures, for t-sql you have tsql that can be used for unitesting things in the database MySQL: https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_UNIT_TESTS.html Poistgres: https://pgtap.org https://medium.com/@vbilopav/unit-testing-and-tdd-with-postgresql-is-easy-b6f14623b8cf Most of that you may already know quite well. -- //Aho
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.php
csiph-web