[OT] Re: Which server-side programming should i choose.
Joel Rees wrote: PHP!! All the way...easiest, free, likely to be more secure than Perl if used as Apache module than CGI. More secure, how so? Less arcane syntax to hide holes in, maybe? However, for people who know what they are doing, perl code can be made more secure than php code. Matt Heath [EMAIL PROTECTED] commented I'm not trying to be insulting but I think that you don't know what you're talking about. Oh, you're probably right about my not knowing what I'm talking about. I tend to spout off about things I know nothing about some times. Human habit. Question, though, are you contending with my assertion that perl has some arcane syntax issues that make holes harder to see, or with my assertion that perl can be made more secure than PHP? Both assertions? (If we really want to debate the subject, I suppose cross-posting into the php and perl lists where people who know what they are talking about hang out would be a way to get solid information. Or to get castigated for attempting to start a flame war. ;-|) BS-generator state=on/ Perl had a head start on PHP, was the focus of a lot of essential pioneering work in most of the currently hot technologies. It's in a bit of upheaval right now, because we, as an industry, have hit a technological wall, and the people who develop perl are heavily involved in trying to break through that wall. The PHP group is basically distilling the web programming technologies out of the work that has been done in perl (and other languages), making the technology more accessible to less skilled hands. So far, the PHP community has a good track record. (I personally consider PHP mostly a dialect of perl, but a reasonably good one.) But if you really need to tighten down the bolts, well, no programming language is sufficient by itself, but, near as I have seen, perl gives better access to the tools for the really tough cases. But you do have to know what you're doing to use those tools. Java/jsp gets us part way through the technological wall, but it also requires a certain mind-set and familiarity with the existing Java tools and with the Java-ish ways to use those tools. If you can get the familiarity part down, you get a high pay-back in code re-use. If you move on to frameworks, you can really avoid re-inventing a lot of wheels. But the tools for standard http, last time I checked, are a little behind what's available in perl. But all that is way beyond what the OP asked. He wanted to get started with web proramming, and wondered whether PHP or perl would be better, and the answer, as far as I see it, is yes. BS-generator state=off/ PHP _is_ a pretty good place to start, but don't expect it to solve all your problems. Perl is a natural next step. (JSP/Java would not be a natural next step, but is a good next step for at least some people, and don't even think of jsp without Java, as far as I'm concerned.) -- Joel Rees, programmer, Kansai Systems Group Altech Corporation (Alpsgiken), Osaka, Japan http://www.alpsgiken.co.jp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
On Fri, Jul 04, 2003 at 10:26:47AM +1000, JacobRhoden wrote: Even though this is getting waaay off topic... On Thu, 3 Jul 2003 07:46 pm, Matt Heath wrote: Ever seen something like this : $r = mysql_execute(select * from table_1 where id=$_GET[id];); Actually people do do the same thing and perl and you know it :P Both perl and php support calling sql with parameters using ? to insert variables. If someone does not know what language to use at all, I would suggest php simply because its a good, quick, easy language to get started in without too much difficulty. (In lots of ways including not needing to understand cgi variables, and what the heck Content-type: text/html\n\n is, or learning how to include perl librarys to do all that stuff for you!) You're missing the point. $_GET[id] is one of the arguments used when calling the PHP and as such is completely under the control of an external user. This permits all sorts of shenanigans that generally go under the name SQL injection attacks. For instance, in this case, if you could arange for the $_GET[id] variable to have the value 'joe OR 1=1' then you could dump out the whole of table_1. I'm sure that with a little thought you could come up with something much more damaging. Exactly the same problem occurs with perl CGI --- any time you take user input in an application, you've got to assume that there will be hostile intent, and sanitize the input accordingly. The basic step in sanitization is to decide what characters are permitted in the input, and filter out everything else. You probably want to limit the length of the input, and (depending on the precise circumstances) there may be other criterea you can apply. Only then should you pass the input into your SQL select statement. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: Which server-side programming should i choose.
Matthew Seaman wrote: On Fri, Jul 04, 2003 at 10:26:47AM +1000, JacobRhoden wrote: Even though this is getting waaay off topic... On Thu, 3 Jul 2003 07:46 pm, Matt Heath wrote: Ever seen something like this : $r = mysql_execute(select * from table_1 where id=$_GET[id];); Actually people do do the same thing and perl and you know it :P Both perl and php support calling sql with parameters using ? to insert variables. If someone does not know what language to use at all, I would suggest php simply because its a good, quick, easy language to get started in without too much difficulty. (In lots of ways including not needing to understand cgi variables, and what the heck Content-type: text/html\n\n is, or learning how to include perl librarys to do all that stuff for you!) You're missing the point. $_GET[id] is one of the arguments used when calling the PHP and as such is completely under the control of an external user. exactly perl has the tainted construct for this and will refuse certain operations with tainted data. But my challenge was Kevin Kinsey's assertion : [PHP is] likely to be more secure than Perl if used as Apache module than CGI. and I want to know why ? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
Someone was offended by my tone in the following, so I will apologize to all for any arrogance or rudeness displayed in it. It was not intended to be rude, just to point out that Perl is not limited to CGI, to leave an opening for a discussion of danger spots in mod_perl, and to acknowledge that PHP will have advantages over Perl for the newbie (and I don't see anything wrong with that, by the way). The server-side pages you can use are PHP or JSP (ASP is posible but not the natural choice for apache). What? You got something against mod_perl? Or are you assuming that a newbie doesn't want all that power, and that php is a good enough introduction to perl in the non-cgi context? Just curious ... -- Joel Rees, programmer, Kansai Systems Group Altech Corporation (Alpsgiken), Osaka, Japan http://www.alpsgiken.co.jp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
Joel Rees wrote: PHP!! All the way...easiest, free, likely to be more secure than Perl if used as Apache module than CGI. More secure, how so? Less arcane syntax to hide holes in, maybe? However, for people who know what they are doing, perl code can be made more secure than php code. I'm not trying to be insulting but I think that you don't know what you're talking about. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
Regardless what server side language is chosen, it is important to read the documentation associated with the language. Any language can be insecure if used improperly. User input and considerations for attacks such as SQL Injection must be taken into account for any accessible web app on the internet. Personally, I used C and PHP on my website as I found it to be simple. I am in the process of switching to Java technologies which are much more complex, but seem much faster. Professionally I have to use .NET :( Less arcane syntax to hide holes in, maybe? I'd have no problem with the assertion that newbies writing php are likely to produce less holes per thousand lines of code. However, I think the OP was trying to cover too much territory with too few sentences. (I do that myself a lot, so I'm not one to complain.) Lucas Holt [EMAIL PROTECTED] FoolishGames.com JustJournal.com The next generation of interesting software will be made on a Macintosh, not an IBM PC. -- Bill Gates (unconfirmed quote) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
PHP!! All the way...easiest, free, likely to be more secure than Perl if used as Apache module than CGI. More secure, how so? mod_php runs as the same user as the Web Server, giving file permission to look at any file the web server can. Safe_dirs are turned off by default I've been hosted on commercial sites where I could easily read the files of the other virtually hosted users, able to rip database passwords and steal source code. (reading through some of that code taught me about PHP class semantics but that's another story 8) Beautiful C-like syntax (/usr/src/* might even make more sense to you after learning it...) great user community. beautiful? the function names alone are a pile of cruft upon cruft take a look here : http://www.php.net/manual/en/ref.array.php or http://www.php.net/manual/en/ref.strings.html PHP reveals what it is - a hotch potch of stuff built one function at a time by a hundred monkeys string *strchr* ( string haystack, string needle) mixed *str_replace* ( mixed needle, mixed new_needle, mixed haystack) chop cid:[EMAIL PROTECTED] -- Alias of *rtrim()* cid:[EMAIL PROTECTED] If you want beauty, use python I'm a professional PHP programmer of 5+ years; secure, elegant and beautiful are not words I would instantly think of. Easy to learn, with a big target painted on your shoes. Ever seen something like this : $r = mysql_execute(select * from table_1 where id=$_GET[id];); ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
PHP!! All the way...easiest, free, likely to be more secure than Perl if used as Apache module than CGI. More secure, how so? Less arcane syntax to hide holes in, maybe? I'd have no problem with the assertion that newbies writing php are likely to produce less holes per thousand lines of code. However, I think the OP was trying to cover too much territory with too few sentences. (I do that myself a lot, so I'm not one to complain.) Both php and perl can be loaded into apache, which helps to avoid certain performance and security problems inherent in the CGI interface, but there are a few more gotchas with perl (my vs. local, and that sort of thing, I think). However, for people who know what they are doing, perl code can be made more secure than php code. But I don't see any reason to argue. It's not like learning one first is going to prevent you from ever learning or using the other well. Quite the reverse, I think. If you have time to learn a (new or first) language, pick one that looks interesting and go. -- Joel Rees, programmer, Kansai Systems Group Altech Corporation (Alpsgiken), Osaka, Japan http://www.alpsgiken.co.jp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
On Wed, Jul 02, 2003 at 01:19:29PM -0700, sanketh sangam wrote: I have a Apache webserver on FreeBSD machine. I think mySQL is also installed(I do not know how to check if mySQl is installed on that sytem). I am planning to put a user authentication to access my webpages in the server. For that i need to write server-side programming. Since there are any server-side softwares(PHP, ASP, JSP, Perl) ,I am confused as to which one would be better for Apache and freeBSD. Instead of going for those server-side programming, should I go for HTTP authentication method. I am confused. Any kind of help would be appreciated. You can do this a variety of ways. We use mod_auth_mysql in conjuction with .htaccess files as well as php authentication which can use a variety of back-end databases. LDAP is also widely used. The biggest factor is doing something that fits with your other needs, and what's most convenient to maintain the information. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``We maintain that the very foundation of our way of life is what we call free enterprise,'' said Cash McCall, but when one of our citizens show enough free enterprise to pile up a little of that profit, we do our best to make him feel that he ought to be ashamed of himself. -- Cameron Hawley ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
On Wed, Jul 02, 2003 at 01:19:29PM -0700, sanketh sangam wrote: I have a Apache webserver on FreeBSD machine. I think mySQL is also installed(I do not know how to check if mySQl is installed on that sytem). I am planning to put a user authentication to access my webpages in the server. For that i need to write server-side programming. Since there are any server-side softwares(PHP, ASP, JSP, Perl) ,I am confused as to which one would be better for Apache and freeBSD. Instead of going for those server-side programming, should I go for HTTP authentication method. I am confused. Any kind of help would be appreciated. First of all HTTP authentication doesn't rule out server side programming. Your first choice is if you want to use server-side-pages or CGI programming. The server-side pages you can use are PHP or JSP (ASP is posible but not the natural choice for apache). If you choice for CGI then the more tradional programman languages come to order. Personly, i like the server side varient better. If this, is also the road for you then you are left with the choice betwain PHP en JSP, or may be a combination. I feel that JSP is better for the large design and PHP for the smaller pages. PHP is a bit easer to setup but JSP is more efficent and more power for the larger design. HTTP authentication is something you use to let you users login. Both JSP and PHP can do this. You have to be worned that there are two forms. The first is the easies to setup but it send the password as _plain text_ for *everybody* to read. There's an advances version that you can use in combination with SSL to make it more secure, but i forgot the name. Alex ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
From: sanketh sangam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 3:19 PM Subject: Which server-side programming should i choose. I have a Apache webserver on FreeBSD machine. I think mySQL is also installed(I do not know how to check if mySQl is installed on that sytem). I am planning to put a user authentication to access my webpages in the server. For that i need to write server-side programming. Since there are any server-side softwares(PHP, ASP, JSP, Perl) ,I am confused as to which one would be better for Apache and freeBSD. Instead of going for those server-side programming, should I go for HTTP authentication method. I am confused. Any kind of help would be appreciated. Not much to do with FBSD, but . PHP!! All the way...easiest, free, likely to be more secure than Perl if used as Apache module than CGI. Beautiful C-like syntax (/usr/src/* might even make more sense to you after learning it...) great user community. Kevin Kinsey, DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
On Wed, Jul 02, 2003 at 02:14:01PM -0700, sanketh sangam wrote: Hey Alex, Thanks for your response. The advance HTTP authentication is called DIGEST Authentication. Yes that the one. Now about PHP and JSP, as for now i am starting out with a small application. So, i guess i can go for PHP. But later if the project gets larger can i migrate from PHP to JSP, I mean can it be accomplished easily. Its an entairly different programming language. Every php page have to be rewritten. So no, not realy. If i whould be plaing on something big, i would start with JSP evendou the project wasn't big jet. Do u know about mod_auth_mysql along with .htaccess (they are provided my apache). It seems that module can be used for user authentication. I have no experience with that port, but i beleave it to allow acces to certain directory and getting the information from a database. Wether or not to use it proberbly depend on you detailed plans. I don't think i can help you with it. I am not sure if that module is running on my system. Do u know how i can find out if that module has been installed on my system or not. pkg_info wil list it if its on you system. But that's another discussion and thus doesn't realy belong in this mail. Thank you very much for your time. -Babu I feel the following things are helpfull sending to these list: 1. Do send mail like this with a cc to the orginal list. Others can learn from our exange of information. 2. Don't top-post. This makes it hard for other to read it. 3. Cut you text. Text that has no more relevancy only confueses people. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which server-side programming should i choose.
From: Kevin Kinsey, DaleCo, S.P. [EMAIL PROTECTED] To: sanketh sangam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 5:48 PM Subject: Re: Which server-side programming should i choose. From: sanketh sangam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 3:19 PM Subject: Which server-side programming should i choose. I have a Apache webserver on FreeBSD machine. I think mySQL is also installed(I do not know how to check if mySQl is installed on that sytem). I am planning to put a user authentication to access my webpages in the server. For that i need to write server-side programming. Since there are any server-side softwares(PHP, ASP, JSP, Perl) ,I am confused as to which one would be better for Apache and freeBSD. Instead of going for those server-side programming, should I go for HTTP authentication method. I am confused. Any kind of help would be appreciated. Not much to do with FBSD, but . PHP!! All the way...easiest, free, likely to be more secure than Perl if used as Apache module than CGI. Beautiful C-like syntax (/usr/src/* might even make more sense to you after learning it...) great user community. Kevin Kinsey, DaleCo, S.P. OK, once more I post before getting the full context. Bill Campbell's suggestion is good, too. PHP might be overkill if *all* you want to do is limit access to certain areas/pages. But, if you *want* to also have interactive content, PHP's great; and it has native functions to do the HTTP authorization, as well as giving you other options in re: authorization. KDK ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]