aristAugust has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks, I was wondering if anyone had any wisdom about which is a better to use for a secure site with a MySQL database: either CGI.pm +DBI + Apache::Session, and create the security mechanism, or use PHP pages and use its session implementation with Perl on the backend. The catch is that I need to use some perl coding in the back end to manipulate images and other things, so I am unsure about a 'Php with a Perl for backend stuff' implementation. Has anyone had any success with either method? Is Php worth it ? If so, how are Perl Scripts called from Php ? aristAugust Bioinformatics Consultant

Replies are listed 'Best First'.
Re: CGI.pm+DBI.pm+Apache::Sessions or Php?
by Aristotle (Chancellor) on Jan 19, 2003 at 17:12 UTC
    If you already need Perl for the backend, there's little reason not to use it for the frontend as well. Security is not directly related to either, you can write both secure and insecure sites either way. merlyn's Basic cookie managemenet column explains a good technique for managing sessions properly.

    Makeshifts last the longest.

[reply]
Secure websites: https/ssl and perl/php
by Coruscate (Sexton) on Jan 19, 2003 at 21:34 UTC

    ... which is better to use for a secure site... [perl stuff / PHP stuff]

    It depends on what your definition of a 'secure site' is. If you mean something that might handle credit card numbers ofr another objective that requires a higher security level, then neither perl not php alone will suffice. Text is passed from the client to the server in broad daylight, meaning that the text can be grabbed anywhere along the way to the server. To fix this, you should immediately consider using the https protocol (a secure http protocol) if the data passing between client/server must be hidden from prying eyes.

    If you meant 'security' as far as making sure that the person accessing the server is the person you think they are, then I suppose either solution (that of perl or php) would suffice. If you are already using perl for backend purposes, there is no reason to crawl towards php. CGI, DBI and Apache::Session would do, though I might suggest MD5 for the creation of session IDs. As already mentioned, merlyn's column on the proper use of cookies and session management is an excellent source of good advice on how to do things the right way. That column (like so many of merlyn's) is worth a read or two (or three).

[reply]

      MD5 isn't meant for use in new development. Use SHA1 instead. There was a recent thread on the secure development list on security focus. MD5 is "safe" for today but there are questions about the near future.

      Seeking Green geeks in Minnesota

[reply]
Re: CGI.pm+DBI.pm+Apache::Sessions or Php?
by ignatz (Vicar) on Jan 20, 2003 at 11:39 UTC
    Try not to mix your peas and mashed potatoes if you can help it. If you need Perl, use Perl. If you go down a pure Perl route, I'd explore more sophisticated modules than CGI.pm for the front end, such as HTML::Mason or Template::Toolkit.

    If you go down the PHP route, make sure that you read the comments within the php.ini file for your installed version. Up till recently the default configuration was rather insecure. 

    ()-()
 \"/
  `
[reply]
Re: CGI.pm+DBI.pm+Apache::Sessions or Php?
by pdcawley (Hermit) on Jan 19, 2003 at 22:42 UTC
    What's your skills mix? Are you going to have to learn PHP to implement anything with it? Do you have a couple of designers who know PHP but no Perl? The answers to these, and questions like 'em should help guide your choice.
[reply]
Re: CGI.pm+DBI.pm+Apache::Sessions or Php?
by Notromda (Pilgrim) on Jan 21, 2003 at 17:36 UTC
    Apache::ASP rocks. Before anyone flames, go take a serious look at it first, 'k? It handles session data and creation automatically, runs under mod_perl for performance. This takes the best parts of php and asp, and uses perl as the main language. http://www.apache-asp.org/
[reply]

Back to Seekers of Perl Wisdom