[CS-FSLUG] Content Management Software

Vincent Danen vdanen at linsec.ca
Fri Oct 5 09:51:35 CDT 2007 

* Micah Yoder <yoderm at gmail.com> [2007-10-05 05:17:35 -0500]:

>> I've often wondered about this myself, with news almost weekly of a
>> vulnerability found in PHP. I know there are projects using Perl (Tim's
>> SAFARI) and plenty using CGI, and a couple using Java. Any others?
>
>More than PHP security vulnerabilities.  PHP is horribly inefficient.
>It has to parse all the code for every HTTP request.  Developing
>complex object models in PHP makes for *ugly* code.

A lot of these vulnerabilities are relatively minor.  Yes, I know there
have been a *lot* (oh boy do I know!), but for the most part they're
very minor or very difficult to exploit in any significant way.

You can also use a caching system, like memcached or APC.  They work
quite well.

And ugly code is in the eye of the beholder (and the skill/care of the
developer).  =)  I've seen some pretty awful perl code, some disgusting
PHP code, and some really clean PHP code.  Python is a bit nicer in this
respect.. you're almost forced into being tidy.

>Sometimes I wish I could start a CMS project for Python/Postgres, but
>there are far too many other things I'd like to do ... really need to
>make up my mind and stick to one.
>
>PHP is fine for small sites with simple logic.  Using it for more than
>that is, IMHO, insane.

I disagree.  I've implemented stuff in PHP that was big and complex and
have had no issues with it whatsoever.  In fact, things that I've
rewritten from perl (or mimicked from perl), has been faster...
sometimes *much* faster, in PHP.  I wrote a bugzilla clone in PHP... it
was very close in feature parity to bugzilla and in terms of speed it
ran circles around bugzilla.  I've had CLI scripts written in perl
(written by a very very good perl programmer), that I rewrote in PHP
(simply because that fellow left and I couldn't understand half of what
he was doing)... the end result was a script that was doubly complex
(had to do more), larger, but ran more than 2x faster.

PHP, if used properly, has great potential and can drive very complex
and large sites/scripts.  The problem is it's so easy to pick up, on
every web hosting service out there, so it's easy for people to write
quick-n-dirty crap code.

Now, to be fair, I can only really compare perl and php, and of the two,
I much prefer php.  I've very little experience with python.

But I question the idea that php is inefficient becase it has to parse
code for every HTTP request.  Don't python and perl have to do the same
thing, unless the server itself is written in said language?  I mean,
under mod_python or mod_perl, wouldn't the results be the same as that
under mod_php?  I suspect there is support there to prevent the
interpretter from firing up every time a request comes in, which reduces
some overhead, but don't they still have to re-parse things for each
request unless an object cache is being used?

-- 
Vincent Danen @ http://linsec.ca/

More information about the Christiansource mailing list