[Klug-general] Web Scripting Languages

[Allen Brooker]

Matthew Macdonald-Wallace wrote:
> OK Folks,
> 
> Following on from my emails about securing an apache server, and the
> comments recieved about PHP not necessarily being the most secure or
> system efficient web-application development platform, what do people
> think of the following languages?
> 
> 1) Python - my very limited understanding of this language leads me to
> believe that this is very powerful, very quick and fairly easy to use.
Easy to use? It kind of depends. I dislike Python because of its enforce 
whitespacing style. Try it, you might like it, or you might not.

I personally doubt Python is significantly quicker than, for example, 
PHP or Perl.

> 
> 2) PHP - The language I know best.  Very powerful, however it's not
> without security risks.  I have been led to believe that the majority of
> these have been patched in the more recent versions, however it is
> resource intensive.

Bear with me here - I 'm going to have a little rant, mainly because PHP 
is one of the languages I've used most over the years.

I'm sorry, but the crap people spread about security risks and PHP (as a 
language in general) is just pure FUD mostly. I haven't seen any article 
yet that has persuaded me that PHP is less secure than any other given 
scripting language. There's a few reasons PHP gets such a bad name, I 
believe:

1. It's one of the easiest languages to pick up and run with, making it 
one of the most widely used by new programmers. This inevitably leads to 
a lot of bad code, mainly due to the huge number of really bad tutorials 
out there. PHP scripts are just as easy (if not easier, because most of 
what you need is built-in to PHP's internal modules rather than having 
to import modules) to secure as Perl scripts IMO. (Note: Before 
migratign to mainly using PHP, I used Perl CGI for web development, and 
still do a bit of Perl CGI occaisionally - Perl is a wonderfully 
flexible language).

2. The amount of NIH (Not Invented Here) Syndrome amoung the PHP 
community is insane. Huge projects like phpbb choose to, instead of 
using commonly used sets of code such as PEAR modules and the like, 
write their own database and templating systems. This means you end up 
with lots of sets of code with only a few eyeballs looking at each, 
instead of a few select sets of code with lots of eyeballs on each.

(And believe me, the phpbb code is a hard read - most of it is totally 
uncommented and there's no design documentation at all, and on top of 
that, there are no unit tests either, so editing something easily has 
unintended consequences).

I think this problem partly stems from PHP's lack of namespaces. 
Languages like Perl which have a proper namespaces and modules system 
seem to thrive in terms of lack of NIH syndrome. I was really 
disappointed that namespaces didn't make it into PHP5. While namespaces 
are certainly not required for such results (as the PEAR project shows), 
they seem to give it a huge boost.

> 
> 3) CGI - as I understand it, this is mainly done in Perl. It seems to be
> incredibly powerful and does everything that PHP does but in a more
> efficient way, provided that you can program the code accordingly.

CGI isn't a scripting language, it's an interface between the webserver 
and programs which wish to use the webserver (usually scripting 
languages like PHP and Python, but can also be pure executables). If 
you're looking at this route you may also wish to investigate FastCGI.

> 
> 4) SSI - easy to use and learn, doesn't need external programs as it is
> integreated into Apache.

Server Side Includes are wonderful, but limited. If it's purely 
templating you want to do, then they'll probably do the job for you, but 
they can't do much more (more advanced functionality in SSI pages is 
usually provided by calling scripts).

In your previous mail you mentioned that it was mainly tempalting you 
were doing, in which case you might also want to look at XSLT. The down 
side with XSLT is that some browsers don't support it yet (Konqueror 
being one, but that's being fixed for KDE4). However you can use server 
side XSLT, via applications such as Gorg, which the Gentoo site uses ( 
http://gentoo.neysx.org/mystuff/gorg/gorg.xml )

> 
> Is it a case of "Use what you know", "Use the right tool for the right
> job", or "Use this language because it's just the best damn language on
> the net right now!!!"?

It should, I believe, be equal amounts of the first 2, and not at all 
the 3rd.

> 
> Answers on a postcard to the usal address.

Eww, hardcopy. I'll send an email reply instead I think =P

Allen

> 
> Cheers,
> 
> Matt (Determined to get more involved with F/OSS)