This is my first post here and this sub-forum seems to be adequate for my question. If it is not, I apologize in advance.
I want to create a web application for an upcoming project of mine that has the potential to attract a large number of people. So the web application needs to be fast and secure at the same time.
I used PHP for minor projects for some time now, and although it is really efficient for quick web development, it _appears_ to me like a house of cards waiting to collapse. If you know how to use it properly, it can be acceptable, but there are still numerous security exploits in PHP itself that have surfaced over the last decade. Additionally, it tends to be quite slow and has a lot of bugs that aren't really security related, but can make your life hard. I've run test scripts (that I optimized for web deployment) on my own computer, and even on my own computer which is way faster (in terms of CPU speed, number of cores, RAM, and so on) than most servers, it runs slow--without any database access! And I honestly don't buy the "your server will spend most time in your database anyway, so don't worry about that" statements. I've tested it with databases that have millions of rows in them, and coded a test script that accesses the table and then calculates stuff from that and outputs it. If I comment out the database access the time needed to execute the script is only marginally reduced. I observed the same in my other projects. I also used Python and the problem seems to be the same.
Now, before the PHP/Python fanboy crowd yells at me: "Google uses Python and Wikipedia uses PHP, too". Yes, I know. But they have a lot of money to throw at the problem and can easily add new hardware if needed (Wikipedia alone has collected over 6m USD in the last year from donations). And a Wikipedia staff member I talked to some while ago told me that it's a miracle that Wikipedia is still running given that it is written in PHP with all its security problems (not my words).
So I thought: why not use a compiled language?
The obvious advantages would be that it is faster, and that I can leave out all the junk that is not needed in my case, thereby decreasing the chance of badly written code running in memory.
I have coded in C and C++ for a long time, including security-critical applications. So I absolutely know how hard it can be to write really secure applications, but I think it is also fair to say that I know how to minimize the risk of buffer overflows, validate user input properly, and so on. I often force myself to review my code some time later, in order to spot coding mistakes that you just won't see the first time. Additionally, I've created a neat string library around the standard library that makes string manipulation as easy as in PHP or Python.
So I continued my thinking: why not use C/C++ for your web applications and 'somehow' interface them with your web server?
And that's the problem--the 'somehow interface'. I don't know what to use that won't be deprecated in like 5-10 years from now. CGI seems to be quite okay, but I heard there's a huge overhead due to loading the executable into memory each time a user requests a page. FastCGI seems to be a better solution, but is not as widely supported.
My question is: What interface should I use if I want my web apps to be compiled? CGI, FastCGI, what else? The interface needs to be supported into the far future, it needs to be efficient and fast. And there's also one more important factor: time. Coding the application itself is an acceptable time loss, but if I can only run the app on a dedicated server and have to manage the whole server myself, this can become quite cumbersome. I'd really like to use a solution that can be run on a managed server.
First off, any language you program your application in is going to have security problems, whether it is Java, Python or PHP, all of them can be compromised if your programmer can't write good code. As for actual holes in the programming language, I have my doubts about what you think when you say "numerous" exploits.
You may want to dabble into Webtoolkit: http://www.webtoolkit.eu/wt. I'd personally go with PHP, as it's an excellent language for web applications.
I'm also having a hard time understanding your slowness when deploying PHP locally. Perhaps the application you are trying to build should not really be a web application, and you should instead look for a server application and a web front-end to interact with it. I've built PHP apps, with heavy DB work, innerjoins and all that on virtual private servers as a test environment, and I could do hundreds of requests per second, with optimizations performed(web server&MySQL). As a sidenote: unless you're a guru do not optimize your PHP code, try to keep it readable and easy to expand.
High Bandwidth Servers
Custom Hosting Solutions
I have to agree with much of what cristibighea says. There are going to be problems with any languages. If they were perfect and never had any issues then there wouldn't be minor revisions and updates.
Just like PHP may have bugs that get patched, so does MySQL, Apache, Linux Kernels themselves, and every other part of a computer. Programs are designed and implemented by people and people are not perfect and as such are going to introduce problems and exploits un-knowingly until they are discovered and fixed.
As for compiled code - I'm not personally aware of any web servers that will execute compiled code - and definitely not in a shared environment. There is no telling what the compiled code may be doing and it would be very easy to introduce something into a system that is malicious if it were compiled as apposed to interpreted - or at least that's how I see it.
As for what you should write it in - I would suggest using whatever you are most comfortable with and then make sure to test, test, test, test, test, and test your end result. Test every function to make sure that it returns good data and that it never returns anything you don't want it to - toss it bad information and try to make it go wrong so that you can see what happens and prevent it.
Don't confuse the use of PHP itself, with simply using PHP to interface
to something else. Many large companies use shared objects to do what
they want on the back end, PHP on the 'web' side just interfaces to it.
A more obvious example would be using indexed search (e.g. maybe using
sphinx), where PHP only interfaces to it, and then subsequently simply
selecting items from a mysql db - why bother actually searching a very
large mysql db directly as it'd just waste time.
Another example could be adserver software written in C/C++, most of the
delivery data residing in shared memory - very common, and here again
PHP or whatever just interfaces to the C/C++ code etc.
This confuses me. Obviously it isn't smart to have a system (account) controlled executable providing execution commands via web server scripting language...
Why not use networking? I mean, is there not a way in PHP to perform a TCP(UDP atleast..) communication on a specific port for localhost? Then use C++ executable to listen for communication, and do it's business?
I mean that makes sense to me, I suppose it's just a matter of what server-side language (web server) supports such a thing?
Any comments or suggestions appreciated, I also am looking for an answer to this.
Yea. just googled it...
http-> www[dot]codewalkers[dot]com /c /a /Miscellaneous-Code /PHP-TCP-UDP-Network-Client-Class-w-Example/
Change the port, specify localhost, and send some strings to C++:
http-> bytes[dot]com/topic /c-sharp /answers /719160-tcp-listen-port-multiple-connections
Seems like the perfect answer to me. Do correct me if wrong, I'm going to start on this though anyway, sounds like fun
On the compiled code thing - there's tons of compiled code running behind
apache - typically these are shared objects, run as apache handlers.
Pretty commonplace, and there's several ancient do-it-yourself books
around on how to write/compile handlers for apache. Search for
'apache' and 'modules' at amazon. Or check out: http://oreilly.com/catalog/9781565925670
Nothing is too difficult - hard thing is finding something which
hasn't already been done.
For example, imagine two webservers, running php/apache.
how to talk behind the scenes to another server running some compiled
C programs, and handling queuing, redundancy (if adding more servers)?
Probably just use 'gearman' to manage it all.
Google for 'gearman' and you're almost there!