<div class="gmail_quote">On Wed, Aug 17, 2011 at 7:40 AM, Stuart Thiessen <span dir="ltr"><<a href="mailto:thiessenstuart@aol.com">thiessenstuart@aol.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
>From recent emails, it seems that several encourage Ruby or Python over PHP for security reasons. Is Ruby that much more secure? How so?<br>
<br>
I work with a few websites for organizations I am a part of. So far, I have used PHP for most of what I have worked with. I just noticed that our provider (which previously only had Perl and PHP) now has Ruby available. I wish they had Python, but apparently not yet. So ... as someone who knows Perl, PHP, and Python, do any of you have suggestions on how I can leverage those skills to help me learn Ruby? I glanced at it once, but didn't pursue it because it wasn't available as a language our provider installed. What kinds of relearning did you experience with Ruby? Any best tutorials, books, or other resources for learning Ruby? I plan to do some googling today, but I also prefer to find out what others have experienced too.<br>
</blockquote><div><br></div><div>Two different types of answers that work together here.</div><div><br></div><div>1. PHP has a bad rap from the security industry because the docs have in the past encouraged some poor programming practices and the security team, instead of releasing security-only fixes include security fixes along with feature enhancements rolled together in the same release. Therefore if you're using PHP 4.3.2 and you've tested your software with it and you know it works, then a security prob pops up you have to upgrade to 4.3.3 which may change the way your software works and possibly break it. This makes people unhappy and security pros tend to have to do a lot more work backporting patches to stable versions.</div>
<div><br></div><div>2. PHP is low level. There's no templating built in, there's no abstraction, theres's no built in protections to prevent you from shooting yourself in the foot. If you build an app from scratch, which often means building a framework of your own (even if it's just loosely throwing smarty and adodb and a few other pieces together) there is no one looking out for the security and functionality of the end product but you.</div>
<div><br></div><div>Contrast that to Rails and Django (and Cake PHP or Code Igniter in the PHP world) and you've got a whole team of people looking out for the security of the underlying framework of your app. You'd probably use their authentication system which uses password hashing, their ORM which provides SQL injection protection, their form library which includes CSRF protection. These are things then that provide a thick layer of security, often with numerous developers and security professionals scrutinizing carefully.</div>
<div><br></div><div>You do have to keep your framework up to date though. I strongly suggest subscribing to the announcement list for your framework so that you get instant notices when updates are available. Many will explain how serious the need is to update. If you use add-ons then you should subscribe to their announcement list too, and think carefully about using add ons that don't take seriously the task of keeping people informed. Also, I don't suggest you install Rails or Django (or any framework) from your Linux distribution's package manager. It will be old and out of date and you'll be at the mercy of whoever the maintainer is. In Ubuntu, for example, you may have to install from Universe and there is no promise that you'll get timely updates.</div>
<div><br></div><div>Now about learning a framework, you should tell us how you learn. Do you like books, videos, instructor training? Also, do you want to learn a new language or would you like to try out frameworks in PHP? If you want to stick with PHP then consider Cake, which is a rails like tool (i.e. follow the conventions, get a lot for free) or Code Igniter which gives you a pile of highly reusable tools that you stack together like legos. They're both great choices and you should consider them along with Django and Rails if you decide to make a change.</div>
</div><div><br></div>-- <br>Matthew Nuzum<br>newz2000 on freenode, skype, linkedin and twitter<br><br><p>
</p><p><span>♫</span> You're never fully dressed without a smile! <span>♫</span></p><p></p><br>