1. Forum
  2. USENET
  3. comp.lang.php

  • New php project from scractch, PDO or psycopg?

    From ^Bart@none@none.it to comp.lang.php on Tue Feb 24 09:41:52 2026
    From Newsgroup: comp.lang.php

    Hello everyone,

    I work in a company 100% unix like, we don't have MS o.s., and our
    framework works with psycopg on debian13+venv.

    I'm working to a personal cms written from scratch alwasy on debian13
    with php8.4, postgresql18 and nginx, now I'm using psycopg so I have a different user for the php and another one for the venv etc.

    I heard psycopg for security reasons and also for the performance is
    better than pdo, tell me what do you think about it! :)

    ^Bart
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From =?UTF-8?Q?Arne_Vajh=C3=B8j?=@arne@vajhoej.dk to comp.lang.php on Tue Feb 24 07:40:29 2026
    From Newsgroup: comp.lang.php

    On 2/24/2026 3:41 AM, ^Bart wrote:
    I work in a company 100% unix like, we don't have MS o.s., and our
    framework works with psycopg on debian13+venv.

    I'm working to a personal cms written from scratch alwasy on debian13
    with php8.4, postgresql18 and nginx, now I'm using psycopg so I have a different user for the php and another one for the venv etc.

    I heard psycopg for security reasons and also for the performance is
    better than pdo, tell me what do you think about it! :)

    psycopg is Python not PHP.

    Do you mean PDO or pgsql??

    Arne

    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From J.O. Aho@user@example.net to comp.lang.php,comp.lang.python on Tue Feb 24 15:39:36 2026
    From Newsgroup: comp.lang.php

    On 24/02/2026 09.41, ^Bart wrote:

    I work in a company 100% unix like, we don't have MS o.s., and our
    framework works with psycopg on debian13+venv.

    I'm working to a personal cms written from scratch alwasy on debian13
    with php8.4, postgresql18 and nginx, now I'm using psycopg so I have a different user for the php and another one for the venv etc.

    I heard psycopg for security reasons and also for the performance is
    better than pdo, tell me what do you think about it! :)

    I think this is more about layering the application, the frontend I
    guess is written in PHP while the backend is written in Python. I would
    keep that separation and only allow the backend to access the database,
    also keep it on a such level that the backend don't trust the data from
    the frontend, that all data is validated before use, sure the frontend shouldn't trust the users and validate their input.

    Sure you could have been able to write everything in one or the other
    language (python can do both frontend and backend, as you can do with
    php too even less common), but I doubt you have the power to decide this.

    --
    //Aho
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Lawrence =?iso-8859-13?q?D=FFOliveiro?=@ldo@nz.invalid to comp.lang.php,comp.lang.python on Tue Feb 24 20:29:03 2026
    From Newsgroup: comp.lang.php

    On Tue, 24 Feb 2026 15:39:36 +0100, J.O. Aho wrote:

    Sure you could have been able to write everything in one or the
    other language (python can do both frontend and backend, as you can
    do with php too even less common), but I doubt you have the power to
    decide this.

    You could make the case to your PHP-loving PHBs to write the whole
    thing in Python on the basis that it is a more sophisticated language,
    with built-in support for async/await, advanced libraries for
    convenient access to WebSocket functionality etc.

    And it doesnrCOt need to run as a module in a web server.
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From ^Bart@none@none.it to comp.lang.php,comp.lang.python on Sat Mar 7 11:17:56 2026
    From Newsgroup: comp.lang.php


    Thanks for your reply! :)

    I think this is more about layering the application, the frontend I
    guess is written in PHP while the backend is written in Python.

    Frontend and backend (the admin backpanel) are written in php and I
    think I understood I should use PDO...

    I would keep that separation and only allow the backend to access the database,
    also keep it on a such level that the backend don't trust the data from
    the frontend, that all data is validated before use, sure the frontend shouldn't trust the users and validate their input.

    I need to know how to plan my project to improve security, my website
    and mobile app will be like a social network, I'll have (I hope!) a lot
    of users which will have their data showed on the frontpanel and a
    backpanel where the admin will manage all data and "power users" a piece
    of data.

    Sure you could have been able to write everything in one or the other language (python can do both frontend and backend, as you can do with
    php too even less common), but I doubt you have the power to decide this.

    Now I'm writing the project in my free time and I can do everything but
    I'd like to do the best things for security, I'm a Unix like users from
    1996, I use Debian from 2003 and also Kali for pentest.

    --
    -a//Aho

    ^Bart
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From J.O. Aho@user@example.net to comp.lang.php on Sat Mar 7 13:19:50 2026
    From Newsgroup: comp.lang.php

    On 07/03/2026 11.17, ^Bart wrote:

    Thanks for your reply! :)

    I think this is more about layering the application, the frontend I
    guess is written in PHP while the backend is written in Python.

    Frontend and backend (the admin backpanel) are written in php and I
    think I understood I should use PDO...

    As this ain't anymore about python, remove that part in the subject and crossposting to python newsgroup.


    I would keep that separation and only allow the backend to access the
    database, also keep it on a such level that the backend don't trust
    the data from the frontend, that all data is validated before use,
    sure the frontend shouldn't trust the users and validate their input.

    I need to know how to plan my project to improve security, my website
    and mobile app will be like a social network, I'll have (I hope!) a lot
    of users which will have their data showed on the frontpanel and a
    backpanel where the admin will manage all data and "power users" a piece
    of data.

    Keep in mind backoffice part (what the admin uses) ain't the same as
    backend, backend is tend to be a "service" which talks with the database layer, sanitize the data from front end before making queries to the
    database, filters/reformat the data to something easier to handle by the
    front end. If things goes wrong the backend will send error message that
    don't leak details of the fault (log it to disk or remote log server).
    When using input, use PDO::prepare as this will help on with the risk of
    SQL injection.

    The two frontends (client site and backoffice) will send requests to the backend to fetch the data it needs, sure the data should be validated
    before sending to the backend. Display somewhat generic error messages
    if backend says things went wrong.

    Don't forget to verify that the request to the backend is always done by
    an authenticated and authorized user.

    Passwords should always be hashed with a "random" salt, do have a a
    length requirement on the password, as length tend in the end what makes
    the difference on brute force attacks.

    Keep in mind that you don't have to build your own
    verification/sanitation for everything, a lot of things are already
    built in into PHP, you can use filter_var.


    Sure you could have been able to write everything in one or the other
    language (python can do both frontend and backend, as you can do with
    php too even less common), but I doubt you have the power to decide this.

    Now I'm writing the project in my free time and I can do everything but
    I'd like to do the best things for security, I'm a Unix like users from 1996, I use Debian from 2003 and also Kali for pentest.

    If you feel uncertain with security, you could try out OWASP Top 10 The Game https://top10thegame.org/en/
    You have also this interactive site based on the above game https://www.opensecproject.com

    For the project itself I would go with the Cornucopia https://cornucopia.owasp.org

    Don't forget using something like phpunit to have unitests, this way
    when you do a change you can easily see that the change don't break
    expected results.


    Also it can be good to unitest the database procedures, for t-sql you
    have tsql that can be used for unitesting things in the database

    MySQL:
    https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_UNIT_TESTS.html Poistgres: https://pgtap.org https://medium.com/@vbilopav/unit-testing-and-tdd-with-postgresql-is-easy-b6f14623b8cf



    Most of that you may already know quite well.
    --
    //Aho
    --- Synchronet 3.21d-Linux NewsLink 1.2