DEV Community

Cover image for How to choose the right backend technology?

How to choose the right backend technology?

Prafful Lachhwani on January 25, 2022

Web technologies are growing so fast that we now have tons of modern tools and frameworks. Be it a choice of frontend, backend or database. Many d...
Collapse
 
lito profile image
Lito

Hello! can you link some article about PHP is insecure by default (not code, PHP as itself)? PHP is not considered much secure as compared to Spring and Node.js. Thanks!

Collapse
 
prafful profile image
Prafful Lachhwani

No hard feelings with PHP, I love it, but in order to make is secure we will have to add some extra code, which other frameworks already do out of the box. learnwebtutorials.com/php-is-insec...

Collapse
 
lito profile image
Lito

Not about PHP! don't worry. I'm PHP, node and python developer and I think that all this problems are same on all languages (or very similar).

Java XSS - stackhawk.com/blog/java-xss/
Python/Django XSS - stackhawk.com/blog/django-xss-exam...
NodeJs XSS - stackhawk.com/blog/nodejs-xss-guid...

And PHP is a language, not a framework ;)

I'm really curious about security, and how can be PHP insecure as language it self, not with code examples of people that don't know how to code.

Thanks!

Thread Thread
 
prafful profile image
Prafful Lachhwani

I agree!

Thread Thread
 
jancizmar profile image
Jan Cizmar

Hey! I think that statement can be actually true. Some time before some attacker hacked my server by uploading his php script and executing it by accessing it's url. I found out that this is a common scenario happening ofter with Wordpress plugins for example.

Thread Thread
 
prafful profile image
Prafful Lachhwani

There is a reason why enterprise grade applications rely on spring framework.

Collapse
 
leob profile image
leob

This is silly, I think other languages/frameworks are equally prone to XSS etc. if you don't follow proper standards. Can't be used as an argument against PHP, especially not when you use a framework like Laravel.

Thread Thread
 
prafful profile image
Prafful Lachhwani

Yes I agree, but PHP does not support security out of the box, a developer may need to write extra code in order to protect their applications. Happy to share that spring already has so many security features already built in.

Coming to Laravel, if you will compare libraries built for spring vs that built for Laravel are not that sophisticated and you can't rely on them in terms of application backdoor.

And just in case if there is a security findings there are active developers to fix for libraries in java as compared to that of PHP.

Composer dependency manager is relatively new. NPM shows warnings ans threats after installing any package aka 'npm audit'. Which is still work in progress for dependency management of PHP compaoser

Thread Thread
 
leob profile image
leob

Not sure if I agree, as far as I know Laravel has security features out of the box, I'm rarely hearing anyone complain that Laravel applications are unsafe. I've been a Java programmer in the past and yes, Spring and Spring Security are great, but complex, and arguably overkill for most web apps.

Thread Thread
 
prafful profile image
Prafful Lachhwani

Not about Laravel, dependencies you use with PHP can be insecure, you must be using some extra libraries which are not built in with Laravel could be vulnerable however this is true for every framework which you said earlier. There is reason why enterprise grade applications use spring.

And that's what I mentioned in my article that spring could be overkill for trivial applications

Thread Thread
 
prafful profile image
Prafful Lachhwani • Edited

Just for reference: cvedetails.com/vulnerability-list/...
And some vulnerabilities having no patch
snyk.io/vuln/composer:laravel%2Ffr...

Thread Thread
 
leob profile image
leob • Edited

Sorry, not convinced - the notion that PHP is insecure is based on outdated information, or on issues with WordPress plugins (WordPress does not equal PHP ...)

So what about the library that's responsible for one of the biggest security scares of the last decade? The name of that library is Log4J, a Java library that's being used in numerous Java applications, and within other Java libraries.

PHP or Laravel are in itself no less secure than any other programming language or framework, it all depends on knowledge of security basics and on common sense of the devs using it.

Thread Thread
 
leob profile image
leob

Thanks for the list - so it's immediately obvious that at least 95% of the vulnerabilities are in older versions (5.x or 6.x) - we're at version 8.x now. This also indicates that vulnerabilities are actively being addressed, as can be expected from a popular open source framework.

Thread Thread
 
prafful profile image
Prafful Lachhwani

So conclusion?

Thread Thread
 
leob profile image
leob • Edited

Conclusion is that PHP isn't in itself unsafe, and Java isn't by definition safe (and then I'm only talking about server side Java, of course client side Java is notorious for containing numerous security holes over the years).

Thread Thread
 
llbbl profile image
Logan Lindquist

You can write Crap code in a bunch of different languages, not just PHP. The Frameworks help with security and encourage best practices, but much is still left in the hands of the Dev. Also FYI, Symfony is more popular than Laravel in Europe.

Collapse
 
llbbl profile image
Logan Lindquist


PHP is not considered much secure as compared to Spring and Node.js

This statement is misleading and false, but thats ok. 💩

Collapse
 
pau1phi11ips profile image
Paul Phillips • Edited

I think it's just for the click bait tbh 🙄

Knowing who to write secure native PHP is just part of knowing how to code.

Collapse
 
neoprint3d profile image
Drew Ronsman

Great job loved the article
p.s flask is also a pretty popular bavkend framework

Collapse
 
prafful profile image
Prafful Lachhwani

Glad that you loved the article. Yes completely agree Flask is great!

Collapse
 
spotnick profile image
spotnick

Call me stupid but for me ASP MVC is my go to for backends. Since most of our customers are hosting their stuff on Azure I find this approach much easier. At least the Authentication and Authorization part is a no brainer. What do you think about it and what was the reason to not include it? :)

Collapse
 
prafful profile image
Prafful Lachhwani

Yes I agree! I missed this, maybe in future articles I will mention

Collapse
 
camco profile image
Camco

Not stupid at all. Maybe a bit of extra effort bc of the bloat of ASP/MVC environment but functionality speaking, I'd say your in a best spot

Collapse
 
cjsmocjsmo profile image
Charlie J Smotherman

Golang + gorilla + docker is what I use. Small, light, fast and you get concurrency out of the box with goroutines.

What i like about this stack is that I can deploy it to the cloud (Google/AWS) or to my small foot print device (raspberry pi) so it's very flexible.

Happy coding

Collapse
 
prafful profile image
Prafful Lachhwani

Thanks for sharing, I will surely give my hands on Golang

Collapse
 
ozzythegiant profile image
Oziel Perez • Edited

As some people mentioned in the comments, we need to talk more about ASP .NET 6 and Go. ASP is cross platform, running on Linux, and C# is getting much easier to write, I'd say it's as good as Kotlin. Go is relatively easy to write, I'd say as easy as Python, and you can get so much performance out of it. If you use Node.js, look up Fiber, an Express.js inspired framework that's among the top ranks of TechEmpower bench marks, right along with ASP .NET. We don't need to conform to using interpreted languages. We can build more powerful apps with newer languages.

Collapse
 
prafful profile image
Prafful Lachhwani

That's great! I will check out ASP.net and Go surely.

Collapse
 
jackfr0st13 profile image
Deepak Choudhary

Good read. Small correction though, Node.js isn't a framework. Node is a JavaScript runtime so remove the odd one out or correct it to something like express.js.

Collapse
 
prafful profile image
Prafful Lachhwani

Sure thanks, I will

Collapse
 
djnitehawk profile image
Dĵ ΝιΓΞΗΛψΚ

how come no love for .net? it's one of the most performant and easy to work with backend technologies in the industry 😁

Collapse
 
prafful profile image
Prafful Lachhwani

Tbh, I have no hands on .net, that's why I didn't mentioned it, maybe surely in future articles I will mention after trying on

Happy Coding!

Collapse
 
djnitehawk profile image
Dĵ ΝιΓΞΗΛψΚ

thought as much. i have a dotnet noob friendly article on dev if you're interested in trying new things ;-)

Thread Thread
 
prafful profile image
Prafful Lachhwani

Thanks for sharing, I will checkout definitely.

Collapse
 
saifullahusmani profile image
Saifullah Usmani

Loved it. I didn't see asp.net or C#. I want to learn C# for web dev but don't know if it's worth learning. So if you can include that in this post too then it will be very helpful.
Although it's an amazing post! ❤️
Very helpful

Collapse
 
prafful profile image
Prafful Lachhwani

Sure, I will do my research and try to include.

Collapse
 
andipandiber profile image
Andres Bermeo

The first article that says the truth about Spring, I love Java in the backend, Spring is the best but for things very big but I developed an small project based in the sales using Spring but I didn't think in the CPU... Thanks a lot... Great Article.

Collapse
 
prafful profile image
Prafful Lachhwani

Glad you liked!

Collapse
 
cmmon profile image
C-mmon

Choosing the right framework is all about experience.

Collapse
 
cmmon profile image
C-mmon

Just kidding, Nice article

Collapse
 
prafful profile image
Prafful Lachhwani

I agree :)

Collapse
 
kimdontdoit profile image
kimdontdoit

Favorite part of this article 'cause 💯 relatable

PHP is an old friend who introduced me to web development.🥺

Collapse
 
prafful profile image
Prafful Lachhwani

Yes🥺

Collapse
 
devfranpr profile image
DevFranPR

So, in summary: Node if you want fast & simple operations, Spring if you need security, Laravel if you want a fast developement and Django if you want to add machine learning features (?)

Collapse
 
prafful profile image
Prafful Lachhwani

Laravel actually has a slow deployment, I considered Laravel for cheap shared hosting, however it is recommended to host Laravel on VPS, but it he hosted on shared hosting with some patch.

Collapse
 
dendihandian profile image
Dendi Handian

Fun fact: Your non-PHP code may not secured compared to well-secured PHP code.

Collapse
 
ronieldegozo profile image
Mc Roniel De Gozo

Great article but base on my research, learning JavaScript can help you to become a better full stack web developer with the use of MERN, MEAN or MEVN stack.

Collapse
 
prafful profile image
Prafful Lachhwani

Yes Agree! However, there are various technologies good for different use case

Collapse
 
tem0138 profile image
Tem0138

Do you know which framework DEV is using? Popular and extremely productive... DEV, GitHub, GitLab, Shopify, Codecademy, Exercism, CodePen, ... :)