Hi all,
Thanks for the feedback on Perl vs PHP for secure web apps.
I have now learnt some very important bits of
info that I wasn't able to pickup by reading tutorials and
practicing snippets myself. Some important points mentioned
below:
Dean:
> Perl is also a language in and of itself......
> I usually use this to update stuff on my pages that doesnt need
> to be out of the database every time, news for example. Event
> driven, but events outside the web environment.
....
> An idea would be to put the database on a seperate machine
> from the web server. This IMO would tighten things up a little.
I have read that this is quite important. CD Universe learnt
the hard way.
Tom:
>> * Much of your code in PHP seems to be sent to the user when
>> the form is requested as its embedded in the HTML so the
>> user could look at this and possibly glean info that may
>> help them in cracking. In Perl one would tend to generate
>> the HTML and just send it...
> Not when I write PHP stuff. I am a believer in sending as little as
> possible to clients... I make PHP output the HTML as you describe for
> PERL.
Graeme:
>> * Variables from forms are automatically available to the
>> script they call out without parsing them.
>> (can this be abused/used by crackers?)
>Correct. By default, PHP sets an order by which these are available which by
>default is EGPCB Environment, GET, POST, Cookies, Built-in
>That means that variables are overwritten in that order, so a POST var can
>override a GET var but not the otherway around so people can't hack the
>query string. You can also use track_vars to access PHP variables in a series of
>arrays
>which address GET/POST etc variables directly without relying on the
>variable order.
Jeff:
> The main reason why PHP is such a pain at the moment is that it's pretty
> immature. Error handling, really worthwhile OO (INFORMATION HIDING PEOPLE!),
> etc., just isn't good enough right now. The environment hasn't caught up to
> things like Perl, ASP (no, seriously) and Python.
A number of people indicated that while its easy to start
with and setup once you start to want more complex things
you run into limitations and kludges. Conrad also greed
that Perl is much more extensible if one is ever wanting to
venture outside of the web framework - something important
that I must think about.
The URL provided by James is an excellent FAQ and reference
knowledge-base.
http://www.faqts.com/knowledge-base/view.phtml/aid/1012/fid/39/lang/
and Angus mentioned the important use of taintperl to check
for conaminated variables. se particularly useful from a
security aspect.
Thanks to the many that replied and others I didnt mention
here. The ideas above I couldn't have gleaned from a cursory
reading.
Mike
--------------------------------------------------------------------
Michael Lake
University of Technology, Sydney
Email: mailto:[EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02
9514 1628
URL: http://www.science.uts.edu.au/~michael-lake/
Linux enthusiast, active caver and interested in anything
technical.
--------------------------------------------------------------------
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
