Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Patrick Cooney
Patrick Cooney
12,216 Points

Security Considerations When Building A Custom CRUD

Has anyone here written a custom CRUD in PHP, and if so what were some of the security considerations? Any advice Randy Hoyt?

I have been reconsidering the custom route because the client wants reviews and customer profiles. I may end up putting something together with Wordpress or Drupal so I can just throw some pre-built modules on there to do the heavy lifting.

However I'd like to at least entertain my initial idea of building from scratch.

3 Answers

Jah Chaisang
Jah Chaisang
7,157 Points
Jah Chaisang
Jah Chaisang
7,157 Points

Patrick,

IMHO, building something from scratch is kinda overrated. True you learn a lot that way and it seems more original and hardcore, but you have thousand other things to learn beside learning to reinvent the wheel. In fact, even if you are using out-of-the box solution like wordpress, there are gazillion other stuff you have to do to really ensure security from armies of spammers out there. This article covers that (makes me feel tired just to read). Plus, these things must be updated and maintained over time, which means more time commitment. I think you should spend time evaluating and integrating existing solutions and really study the landscape of web frameworks, instead of spending time coding everything from scratch (unless your project is truly unique). This way your time is really devoted towards generating the best value for you client and building a good set of solutions for your future business. Just my 2 cents. Let me know what you think.

Patrick Cooney
Patrick Cooney
12,216 Points

The thing is WP is open source so people can view the code and find exploits which is part of the reason it's so insecure. If I custom build, even without all security measures implemented, it would probably still be safer because people wouldn't know what exploits might possibly work.

I've always planned to use a lightweight framework, when I say scratch I mean not using a CMS.

Pavol Almasi
Pavol Almasi
Courses Plus Student 1,524 Points

Laravel framework is the latest buzz. If you want something between wordpress and php framework than Modx is a good cms with mvc framework features. But of course as with anything new, there's a learning curve involved.

Patrick Cooney
Patrick Cooney
12,216 Points

I have been looking at Laravel and Symfony lately. Laravel looks super lightweight but if I'm not wrong Symfony is completely modular using "components" so depending on what you choose to use it can be pretty lightweight. Do you have experience with either that you could recommend or just anecdotal stuff?

Pavol Almasi
Pavol Almasi
Courses Plus Student 1,524 Points

I just started to look into laravel myself only because it is highly recommended by tutsplus and there are some good tutorials for it. Can't really make any valid comparisons at this point yet.

Patrick Cooney
Patrick Cooney
12,216 Points

Cool, I'll just have to give them both a closer look. Thanks.

Jah Chaisang
Jah Chaisang
7,157 Points

Sorry I'm late to the party. What about Yii? I always want to learn it. I think the 3 main things I'm concerned when it comes to picking a PHP framework are features, performance, and community size. Yii seems to be awesome in all three based on my research. But Laravel may catch up soon in terms of popularity, so I'll keep an eye on it.

Pavol, ModX looks good. I want to make a blog for my personal website, but want to make my whole site MVC. I could learn from it. Thanks for pointing it out!

Pavol Almasi
PLUS
Pavol Almasi
Courses Plus Student 1,524 Points
Pavol Almasi
Pavol Almasi
Courses Plus Student 1,524 Points

Since this is a live project for a client and you are not completely sure how to approach it if built from the scratch, you should probably not go that route. Last thing you want is client with a website with potential security hole(s). Learning CRUD is awesome exercise, but you should probably do it on your time, rather than learn it on the client's time, especially since this is something you do not actually have to do from scratch and it would benefit only you and not the client.

Patrick Cooney
Patrick Cooney
12,216 Points

I've built a PHP CRUD before and know how to implement it. That's not a problem at all. It was as an exercise though so it never went live. I'm well aware of things like salting and hashing passwords and things of that nature. I'm curious about the less obvious security measures.

Based on my experience with and stories about wordpress I think that would be more unsafe than if I were to build my own even without knowledge of all the necessary security measures. I mentioned WP because it has the lowest learning curve but I'd prefer to use Drupal if I have to use a CMS. I'm doing it on the cheap since it's partially a portfolio piece so I don't think the guy will complain too much.

Pavol Almasi
Pavol Almasi
Courses Plus Student 1,524 Points

In that case go for it and have fun. It' s always more motivating to learn on actual real project than just training exercise.

James Barnett
James Barnett
39,199 Points
James Barnett
James Barnett
39,199 Points

The thing is WP is open source so people can view the code and find exploits which is part of the reason it's so insecure

That's not quite how open source software works 6 open source security myths

Patrick Cooney
Patrick Cooney
12,216 Points

One of the security researcher's main arguments against my point is that malicious folks can convert the software into assembler instructions which is as good as having the source. This only applies to compiled software. I could be wrong but as far as I know there is nothing that can do this for PHP. PHP is translated to HTML before ever leaving the server. The only way to see closed source PHP is to break into the server, at which point you no longer even need an exploit.