On Fri, Oct 27, 2000 at 01:12:06AM +1100, Michael Lake wrote:
Not wanting to start a perl/PHP jihad... ;)
> Pro PHP / Con Perl:
> * PHP often seems easier than Perl in its syntax for many
> common web/datbase queries.
True. Well I think so anyway but I'm biased. For people who use Perl a lot,
the same could be said though. It's a matter of what you're familiar with.
> * Variables from forms are automatically available to the
> script they call out without parsing them.
> (can this be abused/used by crackers?)
Correct. By dfault, PHP sets an order by which these are available which by
default is EGPCB
Environment, GET, POST, Cookies, Built-in
That means that variables are overwritten in that order, so a POST var can
override a GET var but not the otherway around so people can't hack the
query string.
You can also use track_vars to access PHP variables in a series of arrays
which address GET/POST etc variables directly without relying on the
variable order.
> * lots of people seem to be using PHP and it seems very
> "in".
Yep :)
> * There are classes available for PHP so you can do object
> orientated programming.
No where near as many as Perl and waay to fractured.
>
> Con PHP/Pro Perl:
> * Perl is older and more stable than PHP so may have less
> opportunity for buffer overruns and other security holes.
Very true.
> * Perl is more stable so current apps written with Perl
> 5.004 will run for ages whereas a PHP 4 app might not run
> when PHP 5.0 comes out say next year.
PHP endeavours to keep this to an abso minimum. There were very few
incompatibilities between PHP 3 and PHP 4.
> * Much of your code in PHP seems to be sent to the user when
> the form is requested as its embedded in the HTML so the
> user could look at this and possibly glean info that may
> help them in cracking. In Perl one would tend to generate
> the HTML and just send it (unless it were embedded Perl
> which one can do).
Not true, the code is parsed by the server and delivered as HTML. Anything
inside a PHP script block is hidden. Of course if you setup include files
etc incorrectly then you are going to have problems but that's a server
security issue like leaving .htpasswd files laying about.
> There are prob lots of things that I haven't considered but
> generally given that this must be a reasonably secure
> database does this dictate Perl over PHP or not? Is it more
> a function of how the programmer implements the code?
The database is independent so there's another level of security. mySQL,
postgreSQL all have good security models although insecure code won't help.
Cheers,
Graeme
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
