Here is an interesting Apache article worth taking the time to look at. It provides information and details on how to secure dynamic content on an Apache Web server. Topics covered include general security issues pertaining to dynamic content, securing Server Side Includes, configuring the Apache Common Gateway Interface, and wrappering dynamic content.
Apache Dynamic Content Security
Submitted by Jeff 2002-09-12 Internet 10 Comments
nothign really new here.
But I would recommend it for anyone just starting in the area of webserver security.
“Dynamic content”, “Server Side Includes” and “Common Gateway Interface”? Is this 1995? We have things like PHP, Zope and mod_perl these days. Sheesh!
If it works, why fix it?
The concepts and configuration methods employed by Apache are still unchanged from what they were years ago, for the most part.
I know as a php developer, it’s invaluable to me to glean as much information as possible about the working environment as I can.
CGI is old school and nobody NEEDs it anymore…. and “wappering dynamic content” … Ever heard of a “Database ???
What do databases have to do with obviating CGI? This statement sounds like a dilletante (or know-not) trying to play the expert. Come back after you’ve built out a few dynamically generated web-sites, and see if the above statement makes any sense.
As for old school vs. new school, it is purely a matter of developer familiarity, not functionality. It can be argued that Perl CGI, properly coded, is more secure than all these other goodies we have available today. I, for one, do not trust PHP with my content, but that’s a purely personal decision. Those who know better may disagree.
For DB access, I trust hand-written C code, and I like calling it from SSI. Yeah, it’s pretty 1995, but my stuff didn’t get hacked back then, either.
… as to why you don’t like php for content control.
It seems to be pretty tight in regards to file and database control.
I admit, an improperly written php script/module is easy to play with, but that’s true with any programming language where variables are exposed to the public.
I’m interested in hearing your personal reasons, if you don’t mind.
CGI is sometimes the only option available when your working for a client and their trusted webhost of X years still doesn’t support any of the modern technologies like PHP
or when you need to make a portable web interface, nothing can really beat Perl CGI scripts for portability…they’ll run with little or no modification on damn near any server
it seems that you have no idea what youre talking about.
it’s simply a matter of preference and the right tool for the job.
I was pretty excited about PHP once, it showed great promise, so I learned it, but I found that I was much more flexible and confident with Perl.
I’m not saying that PHP is bad, because it’s not. I just prefer Perl.
And I prefer to seperate page formatting and scripting, just as I want to seperate page formatting and looks(CSS). It’s so much easier to work that way IMO, especially if youre a team.
You can even use embedded Perlcode in your HTML pages just like PHP, it’s called embperl. http://perl.apache.org/embperl/
I use it every now and then, but I prefer regular CGI most of the time, cause it helps keeping things clean and modular.
Just because a technique is older doesn’t mean that it’s outdated or worse than the new ones. To me it’s all about alternatives and flexibility.
Well, perhaps I am a little scared off from PHP by the daily PHP security alerts that pop up every week it seems. While I don’t suppose that my own code is any more secure, I feel a certain comfort knowing that if there IS a problem, it’s in my code, not in someone else’s.
Besides, I find that one can implement kick-butt dynamic content with a very minimal set of functionalities. For this, I’d rather right a stream-lined native-code executable than rely on a “Swiss Army knife.” While very powerful and easily capable of doing what I want, I feel that perhaps PHP is too much functionality that I don’t need. In many ways I feel the same way about Perl.
So I use C and SSI. That might be silly (and probably is, considering web development is not now, never was, and never will be my professional career), but I’m comfy with it.
As for PHP and other 4th gen. languages, I urge everyone who knows and appreciates those tools to keep on keepin’ on. But let us old sk00l fog33z use our olden ways of Perl and C. They still work.
Just for the record, I’d like to list the last 7 release dates for php, as from their php.net site.
Considering that php has been around far less than perl, cgi, or most other prominant web languages, it’s nice to see how far along it actually is today.
Combine the flexibility and ease of use for new programmers with the Zend engine, and things start to get interesting.
Here’s the list:
September 6, 2002 – 4.2.3 released, titled as mostly bug fixes, especially for the Windows platform.
July 9, 2002 – 4.2.2 released, in response to security vulnerability in versions 4.2.0 and 4.2.1. Vulnerability can be found here: http://www.php.net/release_4_2_2.php
May 13, 2002 – 4.2.1 released, mostly bug fixes, and a major upgrade to the DomXML extension.
April 22, 2002 – 4.2.0 released, with over a hundred bug fixes and improvements, and cleanups in variable handling, etc.
March 12, 2002 – 4.1.2 released for the Windows platform only, with a bugfix for the Windows platform only.
February 27, 2002 – 4.1.2 released, except for the Windows platform. This is a security update, with details here: http://security.e-matters.de/advisories/012002.html
December 10, 2001 – 4.1.0 released, with highly-improved performance, more security friendly form variables, and nice features such as output compression.
I could go back further, but you see a trend emerging already. The average time between releases is 37.5 days, roughly, which is far more than every other week.
Thanks for reading my rather long post. I just wanted to provide some information that maybe people weren’t aware of. I strongly believe php is a great tool for what is emerging to be the future of computing: online interfaces to corporate and personal infrastructures of data management. Sounds almost like .NET I know, but without the crap that microsoft is sure to force on you.
Have fun.. happy computing!
Avid BeOS User.