Using Python instead of PHP

[H4CK3R]

I want to start writing more server side suff (I don't like using out of the box solutions like SMF) however I have a few problems, almost all of which are PHP.

1: PHP is a disaster when it comes to security. (following @comex and @i0n1c on twitter had made me hate it)
2: No one seems to like.
3: from what I can tell the only reason it's the dominate language used on the web is because it's the main language used on the web.
4: I don't want learn it.

So I looked around for another language and this caught my eye:

@marco_org YouTube first used PHP, but early on, we ported all code to Python while growing quickly; one of the best tech decisions we made.

I've heard lots of you mention python and, despite @DHowett thinking it is the most hateful thing ever, I think I might like it.

However I can't seem to find any details on how to setup python on your hosting account or how Python web development is meant to work really. So I was wondering if anyone had any experience in using Python for web development?

[Apetrick]

Well python is a really cool and easy language to learn. Since you allready know a few languages youll probably feel right at home learning it. I have no clue on how to set it up but what im thinking is you just download python and set it up on your server. Ive seen something on here that you could make an ebtire app in python so you probably could make a website.

[A3MIRAL]

Php ftw

I think the only reason php is a "security disaster" is similar to windows security problems - hackers attack the most common form of one thing. Windows is the most common OS and php is the most common server side language.

[C0deH4cker]

Luckily for you i wrote a simple python cgi example back around december as a POC for something i was working on. Heres a link:

https://ininjas.com/devteam/iMalic/RPS_Web.tgz

[C0deH4cker]

It can be improved of course.

[Almost]

Ok gotta react, since I'm a fan of PHP

1: PHP is a disaster when it comes to security. (following @comex and @i0n1c on twitter had made me hate it)

The big problem with PHP and security is that many people, by virtue of it being easy, with no clue of security, throw together some half-understood scripts and call it a day (or a website, actually). Since PHP is widely used this means many leaky PHP sites exist. On the other hand, if you know what you are doing, PHP is just as safe as any other language.

Gonna follow those two Twitters, who'll know.

2: No one seems to like.
3: from what I can tell the only reason it's the dominate language used on the web is because it's the main language used on the web.
4: I don't want learn it.

Yeah, not real problems right ? I think many people like PHP (although that's no reason to use it), but that's like always just a matter of taste. It is one of the most-used languages, doesn't that make it dominate by def? In any case it ensures lots of tutorials to exist, sadly most of which are bad. Maybe it's best just to choose something you're already familiar with and for which you can find enough resources to learn it properly.

[H4CK3R]

No the security thing is more like if Microsoft waited 2 years before fixing a bug being widely exploited in the wild and then introduced 2 more holes when they patched it.
i0n1c rips the PHP debs apart on every change they make. He actually contributes some things to the PHP source but they take about a year to add them. + I seem to remember they disabled a sort of sandbox wrapper around PHP that helped with its security.i can't remember what it was but he basically said to not update to that one as it'd change the security from bad to disaster.

Follow him on twitter for a while and you'll see: 1, he hates the JB masses that demand he release his JB; 2, that you come away from it believing PHP is developed my people that have bought but not opened, the beginners guide to security.
Another thing I found out is that PHP doesn't seem to have an official standard. It converts/compiles the PHP files into byte code (like other scripting languages) but each implementation does it slightly differently as there is no PHP spec for these. That also means they can't be shared and the compiling process can't be safely cached and had other performance improvements made to it.

Just pointing out that the security situation, as I believe it to be, like with Windows. My opinion hasn't just been formed by @i0n1c it's just he's the most consistently vocal and so would I need to quote someone it's pretty safe to assume he's the one that said x or y.


I might have liked the language like you do, I may still have to learn it at some point. However I've seen so many complaints about it & now view it's security as so disastrous I would never really trust it for one of my own projects.

[H4CK3R]

Luckily for you i wrote a simple python cgi example back around december as a POC for something i was working on. Heres a link:

https://ininjas.com/devteam/iMalic/RPS_Web.tgz

Thanks, I'll have a look at this!

[Almost]

Sound like some valid points, I'll have to look into it deeper. All comes across somewhat incoherent though, but I cannot blame you for that since you didn't work with the language. What 2 year old bug do you refer to? I agree some updates were bad (the whole cgi -s debacle for example) but that can happen everywhere, I think, and they patched it within days.

+ I seem to remember they disabled a sort of sandbox wrapper around PHP that helped with its security.i can't remember what it was but he basically said to not update to that one as it'd change the security from bad to disaster.

That'll be safe mode, which actually was a terrible idea. Finally removing this improved security, as the safe mode provided a false sense of safety to both hosters and programmers who didn't know what the **** they were doing. Now you actually have to configure your system before opening it to the world... I really think PHP has matured since they removed stuff like safe mode and magic quotes, both terrible solutions to prevent bad scripters from failing too obviously, underwhile leaving the security holes (although smaller) the programmers left in. So IMHO not to upgrade is terrible advice!

You should remember that the most exploited PHP security holes are SQL Injection, XSS, shell execution and file inclusion. All those are language-independent and can be easily prevented.

[Trcx528]

If you want a quick, rapid development setup look at django, they walk you through creating your first site, adding buttons, and a management interface.  Honestly django is amazing, but I don't think you would like it, as it automates much manual work.  However the beauty of it is that since django is all python you can take apart the source and look at how it works. 

[Apetrick]

So its a language built in another language thats pretty cool but wouldnt that sliw runttime since it has to go tbrough both django and python?

[C0deH4cker]

Django isnt a language, its a module for python. You still write it in python, you just use their helper functions/classes etc.

[Apetrick]

O ok i see.