It's been a while since I've been knee-deep in PHP. I do try to avoid it. But when the money's there you do what you do.
I'm enhancing some pretty sloppy code, even by PHP standards. The intertwining
of markup and logic and DB access (which old-school PHP encouraged) is pretty much a constant throughout.
No templating system of any kind, just tangled mess of
statements jumping in and out of
mixed with blocks of tables-for-layout. Sure it goes back to 2006-2008 originally,
but come on man, I was at least using Smarty then.
Plus there's just.....stuff like this:
verify_data($data) //verifies data
Speaking of Smarty, I found this interesting tidbit when educating myself on the modern templating choies
For this codebase, however, migrating to better static pages is enough of an upgrade for now. What's the latest and greatest in static templating?
Ultimately I think Twig looks the best to me right now so I'll just settle on that and move on with my life
- I don't want anything that tries too hard to look like PHP I like that Twig lets the templates be templates
- I want to avoid logic-creep. It gets exhausting to maintain when there's a lot of ugly presentational logic expressed in the second-class template language. Don't care if this is "proper" view-controller separation; I'd rather have any manipulation that is even remotely complex living in the real code.
- I don't want to roll my own everything. A templater that tries too hard to be "infinitely-extensible" at the cost of giving you out-of-the-box common filtering and manipulation is wasting my time, because I'm not going to be doing that deep-dive into building extensions
Plates is one I absolutely hate just looking at it. Violates the first point listed.
MD5 For Passwords
Looking at the state of the rest of the codebase I half-expected passwords to be stored in the clear.
Thankfully they're not, but they're simply run through the
md5() function. Unsalted.
That's almost as bad, for a very large number of passwords.
Unsalted MD5/SHA1/etc is really irresponsible in 2021. The website Crackstation, for example,
is able to instantly crack a SHA-512 of strings like
The recommendation going around some years ago was to use BCrypt with its variable work factor. I did some looking in to if that recommendation has changed. This OWASP page on passwords recommends something called Argon2id. I'll have to look into that more and see if it's advice worth following. After all, OWASP is just collated opinions of randos in this industry.
- Clear the OPcache - PHP's matured a bit since I last paid attention. Thank god for that.
- Setting up a LEMP stack - Rather just stay in my new comfort zone and run everything with nginx rather than go back to Apache