Looking around the horizon of the web server side, I see that scripted languages like PHP are quite popular,
probably due to the speed of development and ease of programming.
However scripted languages are human readable so isn't code security would be an issue here.
I would like to know that if I am keen of security of my code on the server what server language/technology would be most suitable.
When you use any server side language, only people with access to the FTP protocol (or SSH), can see the files. When you are regularly browsing the web, you cannot see PHP, or any other scripting language.
In terms of the actual language security, little bugs can be found, but you will get that in every language.
The security of your script depends on how you design it.
For the most part, every language is secure, but not every programmer is.
scripted languages are human readable
so isn't code security would be an
issue here.
No, users on the web will never see the code of your serverside programms - unless you publish the source.
Some security problems in web applications stem from the type of language used on the server side: buffer overflow is a security problem typical of C. So a scripting language would actually be more secure in this regard.
Typical security problems in web apps today stem from the interaction of client, server, database and user-entered data:
SQL Injection
Cross Site Scripting
Cross Site Request Forgery
...
A modern Web Framework like Ruby on Rails (or many others) will help you avoid some of these problems. But you still will have to learn a lot about web security!
"Staying away from Javascript" is a bit like "staying away from cars" because they are dangerous. Javascript is an integral part of modern web applications.
All serious (ignoring Piet, Malbolge, etc) programming languages are human-readable. Whether or not an explicit compilation step is required has no effect whatsoever on application security.
If you want to be very careful about security, use a language which supports easy verification and/or proofs, such as Haskell or Ada. A typical web application probably would be OK with a modern dynamic language, such as Python or Ruby. Java and C# are also popular, for performance reasons. Any of these will make developing secure applications significantly easier than in legacy platforms such as PHP, Perl/CGI, or classic ASP.
Lastly, as a small pet peeve -- PHP, Python, Ruby, Perl, etc, are not scripting languages.
I would say that the only really safe way to protect your code is by using ISAPI or CGI, and developing the application with some hard compiled language like C, C++, VB 5 or higher but any .NET, Delphi 5 or higher and so on. Any bytecode or interpretated language can be decompied, no matter what you do. New obfuscation methods may hold the crackers for a while, but they will always find a way to get the source. The source is there, the decompilation routine is there, the source must be revealed to be used by the framework, so all the crackers have to do is to catch it on the way.
the language has a small part to do with it. however, a lot has to do with how you actually design and write the code.
ASP.NET get compiled into dll's, so the code is not human readable on the server. But even in PHP, the code gets executed on the server.
Just stay away from JavaScript as that is visible on the client, and human readable.
My main preference is .NET, however even with the scripting languages like PHP they are not seeing your raw code unless you're giving people access to read the raw code files. I've seen some very secure PHP sites. If you're concerned about what people can see and access, then you need to watch what you are putting into the client side scripting languages like Javascript.
For 'hiding' the code there are a few different languages that support this. .NET languages can be compiled, which generates DLLs without containing the original source code on the server. These, however, can be read with something like .NET Reflector, so to escape that you would run something like Dotfuscator on your code, making it more difficult to read.
For PHP, there are solutions such as ionCube that encode your script and they must be ran with an additional decoder on the server to execute them. Usually this is used when reselling scripts, so clients can't look at or modify the source.
Related
We are looking to build a website on top of an existing Eiffel business-tier core, which is sitting over a MS SQL Server database. I am presently considering the advantages and disadvantages of writing the web and mobile tiers either purely in Eiffel, purely in typical web-stacks, or some hybrid.
For us, there are clear advantages to pure Eiffel, not the least of which are:
Inheritance and other language notation mechanisms not found in other languages.
The compiler cannot see into code from other languages, so we are at the same disadvantage one we cross out of Eiffel into something else.
Auto-Test is something we heavily rely on in our Eiffel code, which takes clear advantage of Design by Contract. In other languages, we lose this power and are left with TDD (e.g. their version of Auto-Test in Eiffel).
We now have to learn more than: Eiffel, HTML-5, CSS-3, JS, and whatever JS framework(s) we use.
Every new language and tool adds more complexity to the project.
Eiffel programs are compiled to C --> EXEs, which are far faster than their scripted and interpreted counterparts.
I think there are also some clear advantages to existing, non-Eiffel languages as well:
Existing frameworks and tools can develop simple to moderate web sites and mobile applications rather quickly.
Existing "best-practices" are not terrible and producing reasonably reliable and maintainable code.
I am not sure what all of the advantages and disadvantages are, so I am asking. However, at the end of the day: Our core business suite is pure Eiffel. That will never change.
Thanks in advance for the feedback!
Here is what I can say from my own experience (I have create several web applications in different frameworks including one in Eiffel). First, the Eiffel Web Framework is quite usable right now. The advantage of other frameworks are their features. Here is a list of the major problems I encounter when I created my web application with Eiffel:
I had to create the MVC design myself (other frameworks like Django, Rails or Laravel does that automatically).
Eiffel lack is a good templating system. The Smarty library is ok, but it really lack some really good template features that other has. Also, trying to work with UTF-8 file in Smarty can be quite difficult (this has been a pain for me).
I had to do some session management based on cookies because the one in Eiffel Web Framework was quite primitive.
The release process (removing Nino) was not easy and lack good documentation (I was using Apache, I don't know about IIS)
That's it, other than that, every thing went quite smoothly.
The next list of disadvantages is from my naïve point of view:
The EWF package is not finished, it's going to have more nice capabilities in the future, therefore you may need to follow the new development to take advantage of new functionality.
Eiffel compiler makes it impossible to update a web program on the fly, it needs to be recompiled and redeployed.
If the program is going to be multithreaded, you need to learn a structured way to deal with concurrency based on the SCOOP model.
Some tools (e.g., XSLT processors) are not readily integrated into EWF, you may need to do this yourself.
The current EWF API is rather low-level, so before higher-level frameworks built on top of EWF become widespread, you may need to do more low-level programming than expected (by low-level I mostly mean the way to generate HTML/XML/or some other format your web service is going to produce).
Having to use just one language to do both application logic and HTML generation, that allows for easy debugging, may lower the requirements for the developers and their skills, that may affect your business model.
There are several tools that address specific needs like wiki, simple web-page creation, authorization, etc., but you may need to enhance them to get richer functionality as well as to design the architecture of your software, because some idioms and usage patterns are not established yet.
JavaScript and VBScript are both designed to run on client-side browsers from its original design, and they have long been recognized as "client-side scripting languages" (until NodeJS came out).
However, my professor argues that Java is also a client-side programming language, given that Java Applet runs directly on a browser with add-on. My arguments are that Java is not a client-side programming language as it was not designed for it. Also, it requires the JVM, it is not a native application language that can run directly on a browser. Although different languages can be altered to adapt similar functionalities, it does not mean they fit for the purposes.
We always hear terms like "client-side programming languages", but is there really a way to define it? Can somebody explain to me who is right please?
(Edit: This was the answer to the original unedited question that asked which of the languages are not client-side language. The answer doesn't seem much relevant after those edits)
Java
JavaScript and VBScript are both scripting languages that usually (not always) run in client web browser.
Just google them and you'll find why.
Answer to your comment:
Java Applets lets the java program run in the web browser, but that does not count as client side technology because to run the Java Applet, the client system must have Java Virtual Machine installed. It is much like downloading a compiled java program from a web site and running it on the client. JavaScript and VBScript are both run by the browser. These two languages are created for the client-side (but they have new usages in another environments). That is not the case with Java Applet.
I've looked around some of the asked questions and I noticed many questions dealing with THE best web application language. I'm curious into looking into a combination of web application languages, possibly some that would compliment each other well. At the moment my list of possible web app languages at the moment are:
PHP
Ruby on Rails
JavaScript
AJAX (not really a language on its own)
Grails
I know that certain ones like JavaScript and AJAX work well together but I'm curious about the rest. What about PHP and JavaScript? Does Rails play well with others? Is looking to use a combination of languages even a possibility? I know that some may be used for different kinds of applications but I would like to focus on more than just 1 of them. Thanks for the help. Any and all comments are appreciated.
You are mixing everything up.
PHP and RoR (Ruby on Rails) are server-sided scripting technologies (and Rails is not really a programming language). They can generate content that is served to the user (ie: HTML files), but they can do a lot more. You NEED a server-side language if you want to interact with your users (ie: allow them to leave comments, and etc.).
Javascript (and AJAX, partially) on the other hand runs completely on the client side. You'll mainly use JS and Ajax to improve user experience, but remember to code your site in such a way it works even if JS is off.
Generally, as a complement to your server-side scripts you need a database, and among them the most popular ones are relational DB's that support SQL (Structured Query Language), like MySQL, SQL Server, Oracle, etc.
So, what's the "best" combination for you? It really depends. Hosting with PHP+MySQL is widely available and it's cheap, and PHP has a massive user community, and many freely available libraries and frameworks for you to use. So if you are just getting into web development, I'd suggest starting with PHP+MySQL.
Rails is not a language, it's a framework. Ruby is the language.
Grails is not a language, it's a framework. The language is Groovy.
Ajax is not a language, it's a marketing term coined to describe DHTML, which was a marketing term coined to describe using JavaScript to manipulate DOM elements and styles.
Regardless if it's PHP and Python, Perl and Java, JavaScript and Erlang, you can use any languages together depending on what you're trying to accomplish.
If you're looking for something learn, I'd say JavaScript (and get down and dirty and really learn it... don't rely on a framework as a crutch) because it's the primary front-end language in the web-world. But that's just my preference.
If you could give us a little more insight into what you're working on then maybe someone can give you a better suggestion of languages to pair up.
A programming language is just a means of achieving a goal, hence the focus should always be on the goal. Just as human languages the goal is communication, hence the languages is relatively not important.
Javascript is client side scripting language, while rest of the things that you have mentioned are serverside scripting languages. No matter what server side language you use you would have to use Javascript for client side scripting.
The rest of the 3 languages are opensource languages. Personally I would choose the most popular technology because
a. There is a big community, which ensures that the technology is widely adapted because I would like other third party applications gelling well with my application.
b. Lesser no. of flaws, since someone or the other would report it and the community would try to fix.
c. Dynamic future release: Since the community would like to see feature which are there is some competitive technology they would always want to add the feature. An excellent technology which has very less community built around it dies its own death since there are no future release and slowly it falls behind the competition.
The next important criteria would be is the tech really suits my application. Like if I am using a very slow embedded system processor, I cannot use python I will have to use C.
Well in all above cases I personally love PHP. PHP has some of the best CMS s/w, which makes life easy and there is lots of code available for free and widely adapted by even enterprises.
Are there any open source or commercial web programming language that function much like Fog Creek's Wasabi? As in you write your web app in this parent language and it then compiles down to php for Linux hosts and ASP.NET for Windows hosts.
Haxe is the closest I've seen, but it only compiles to PHP (and mod_neko), not to ASP.
Genexus is a commercial development tool that does that. It can generate several other languages. Its oriented toward database apps, it generates database schemas and queries from its internal language.
That said, I have worked with it, and I don't like it. It's quite buggy and its programming language is very archaic.
Before you bother, consider whether it's really worth it.
Supporting one platform with multiple configurations is bad enough; do you really need to support both ASP.NET and PHP? If you're writing an in-house application, then you probably want to stick to as few technologies as possible. If you're writing software to sell, then is it really a problem if your product requires a particular platform?
As far as I know, Fog Creek had to develop Wasabi because there wasn't such a tool. There are a few toolkits trying to be portable, but none that compiled to ASP or PHP that I know of (besides Wasabi, that is).
People act like Joel went mad with Wasabi, but I think it makes perfect sense if you put all the pieces together.
FogBugz was originally written in VB.
Joel hates to throw out working code to start over.
Joel was faced with a server market split between MS and Apache w/PHP servers.
Given the circumstances, it's a rational decision to say, "OK, then, we'll just write a VB to PHP translator."
And once you've taken that step, to say, "Well, since we've essentially have a compiler here, why not extend it with the features we want that Microsoft has never added to VB?"
Thanks to Wasabi, code that would have to be written twice (or more, given some duplicated server/JavaScript code) is written only once.
Multitarget development is pretty common. It's the reality when you can't dictate your target environment.
Pick a real mature application server platform like Java. It runs everywhere...
A very well known major drawback of using CGI is poor webserver performance. But how secure are CGI (mainly C/C++) based applications? Are there any major security holes in CGI architecture built on C/C++?
I would like to know some real life implementations of CGI based web apps/web sites. One that I know of is javaranch.com.
The major security hole I would see anywhere, C/C++ included, would be not using a standard, open CGI library, not reading its documentation, and thinking you're secure anyway.
don't re-invent the wheel. Use a CGI library. Some languages have this built-in (PHP probably does), others have it included (Perl comes to mind), others need you to grab it from elsewhere (C/C++). Make sure you know what it is, and that you use it. Do not try to implement it yourself. If you have to ask about security, you, like me, are not qualified to write it.
Read the documentation. If you're using a well-established library, there will be documentation on security issues and what you can do to avoid them.
Do not ever assume you're secure. I'm quite sure I'm not secure, even though I've followed all the rules in the CGI library for Perl, and the rules in the database interface library, etc. But I still assume I'm not secure, and keep it on the forefront of my mind when doing anything there. Should I ever be an expert on security, maybe I'll change my assumption. Not sure yet.
Security is always multi-faceted, and always incomplete. There are holes being found in all sorts of software all the time - software that may have been previously thought secure. And now we have many more best-practices for security than we did, say, 15 years ago. And we have SELinux for more security.
Of course, the question is - do you have enough security for your app? Does a reasonable effort get you a reasonable level of security? Of course, that's why I don't use C/C++, but I use Perl instead. It takes a lot less effort to ensure I don't overwrite memory in Perl than it does in C++. That's a level of security right there with no actual work involved.
CGI is no more insecure than any other WSAPI. It's all about what the program does with the code. All CGI does is set environment variables and handles off to the program.
Many sites are CGI based. Many PHP sites that are located on hosting are run in CGI mode - mod_php is hard to used in shared environment - no suid.
In general, running as CGI has lower performance, but better for security - you have no access to webserver internals (as with mod_perl and mod_php) so using vulnerabilities is harder. If you use cgi-bin, you non-execute files are not visible (a common bug of PHP programmers is that they have libraries with extension like .inc so source is shown when this file is requested directly).
Perl's taint-checking mode provides a marvelous way to increase security.