Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Build, Install, Secure & Optimize PHP

Posted by Hemos on from the getting-it-all-installed dept.

geekmedia writes "Open Network Architecture has an excellent article up entitled "How to Build, Install, Secure & Optimize PHP.""

4 of 19 comments (clear)

  1. mod_php security reduces functionality by DrSkwid · · Score: 3, Interesting

    I prefer to use PHP in cgi mode and use SUXEC in Apache for virtual hosting.

    I get mod_perl to read the config data in from a database when Apache starts up.

    Our Apache setup (for multiple machines) is then automated with a few HTML forms.

    It also give us the advantage of reducing insecurity with other cgi based programs.

    not perfect performance wise but I think the tradeoff is acceptable.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    1. Re:mod_php security reduces functionality by vano2001 · · Score: 2, Interesting

      I still have to find *how* does one get secure user accessible (r/w/x) cgi-bin's per virtual host. Everybody seems to do it without any problems but it looks to me as if you simply cannot limit CGI acccess (r/w/x) to be only inside the user dir. The only methods I have tought are using XFS fs's ACL and security patches such as grsecurity and others...but even these are a pain. Having suexec and a user accessible cgi-bin won't help much when the user executes a binary doing "cat /etc/passwd".

  2. Re:The right tool for the job by DrSkwid · · Score: 5, Interesting

    I've been doing PHP development for nigh 6 years I think [since just after v4 was released]

    php is oft derided for "mixing data & presentation" because in the Learn php in 24 hours style books you get examples like :

    <?php

    if ($something) {
    ?>
    <html> etc ....
    <?php
    } else {
    ?>
    <html> otc....
    <?php

    }
    ?>

    which is really bad style.

    if you look through my [modern] code you would see something more like this simplistic example :

    <?

    require_once 'html.class';
    requre_once 'database.class';

    class page extends html {

    function add_links(&$db) {
    foreach($db->get_links() as $url=>$txt) {
    $this->add_href($url, $txt);
    }
    }
    }

    $p = new page();
    $db = new database('website');
    $p->add_links($db);
    echo $p->get();

    ?>

    which would generate a valid html page.
    Of course I've got the advantage of building up by database & html class over time but that's what re-usuable code is all about 8)

    the thing that stands PHP apart from Perl is that the focus has been on Web development rather than a general purpose language [although recently development has added more command line functionality]. To this end the common things needed for web development are built into the distribution. Database access, IMAP access, treating http:// as a stream, etc.etc.

    To non-programmers PHP is the sort of thing that is easy to pick up, I know this from the people I have met that use it. All the examples around have generally been about generating web pages. Perl source code is legendary for it's obscurity. PHP keeps things simple.

    It's not a perfect beast. Passing by reference can be awkward, requiring extra non-anonymous variables, and the ugly face of backward comaptibility has meant that keywords & built-ins are inconsistent in name and parameter order.
    (
    In particular the original array manipulating functions are called stuff like count() whereas if that was introduced today it would be called array_count().

    parameter order is a subtle source of confusion

    consider
    strpos ("abcdef", "d")

    give me the position of "d" in "abcdef"

    and
    explode(" ", "hello world")

    split "hello world" using " "

    the subject of the function is reversed

    not a big deal but it often means a quick trip to the manual to find out which one it is this time.

    )

    If I was suggesting a programming language to learn programming PHP would not be it, Python or C or Limbo would be my suggestions there.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  3. Re:The right tool for the job by ooglek · · Score: 3, Interesting

    I think PHP is great, better than perl, for web-based programming. Perl is nice and powerful and all, but PHP was written AFAIK for web applications. It supports good, Perl-based RE string parsing, an file open function which supports URLs, and best of all, many of the functions that deal with HTML, databases and the web specifically are built-in. Such as "htmlentities()" which changes a string to an HTML entities (& -> &).

    Almost all the popular databases are supported (granted they are either dynamically loaded or compiled in). MySQL, Postgres, Sybase, Oracle, ODBC and others.

    Honestly, outside of the web applications, I don't see PHP as a strong language. But I do find PHP's speed and simplicity to be a strong point, and the fact that I can tune it and play with it so as to scale well makes me even happier about it. Plus, if well written, it's pretty secure. At least I've never had any problems with it being any more or less insecure than well-written Perl.

    --
    TossableDigits.com: Temporary Phone Numb