[Cialug] OT: Ruby on Rails

Wed Aug 17 10:13:09 CDT 2011

On Wed, Aug 17, 2011 at 7:40 AM, Stuart Thiessen <thiessenstuart at aol.com>wrote:

> From recent emails, it seems that several encourage Ruby or Python over PHP
> for security reasons. Is Ruby that much more secure? How so?
>
> I work with a few websites for organizations I am a part of. So far, I have
> used PHP for most of what I have worked with. I just noticed that our
> provider (which previously only had Perl and PHP) now has Ruby available. I
> wish they had Python, but apparently not yet. So ... as someone who knows
> Perl, PHP, and Python, do any of you have suggestions on how I can leverage
> those skills to help me learn Ruby? I glanced at it once, but didn't pursue
> it because it wasn't available as a language our provider installed. What
> kinds of relearning did you experience with Ruby? Any best tutorials, books,
> or other resources for learning Ruby? I plan to do some googling today, but
> I also prefer to find out what others have experienced too.
>

Two different types of answers that work together here.

1. PHP has a bad rap from the security industry because the docs have in the
past encouraged some poor programming practices and the security team,
instead of releasing security-only fixes include security fixes along with
feature enhancements rolled together in the same release. Therefore if
you're using PHP 4.3.2 and you've tested your software with it and you know
it works, then a security prob pops up you have to upgrade to 4.3.3 which
may change the way your software works and possibly break it. This makes
people unhappy and security pros tend to have to do a lot more work
backporting patches to stable versions.

2. PHP is low level. There's no templating built in, there's no abstraction,
theres's no built in protections to prevent you from shooting yourself in
the foot. If you build an app from scratch, which often means building a
framework of your own (even if it's just loosely throwing smarty and adodb
and a few other pieces together) there is no one looking out for the
security and functionality of the end product but you.

Contrast that to Rails and Django (and Cake PHP or Code Igniter in the PHP
world) and you've got a whole team of people looking out for the security of
the underlying framework of your app. You'd probably use their
authentication system which uses password hashing, their ORM which provides
SQL injection protection, their form library which includes CSRF protection.
These are things then that provide a thick layer of security, often with
numerous developers and security professionals scrutinizing carefully.

You do have to keep your framework up to date though. I strongly suggest
subscribing to the announcement list for your framework so that you get
instant notices when updates are available. Many will explain how serious
the need is to update. If you use add-ons then you should subscribe to their
announcement list too, and think carefully about using add ons that don't
take seriously the task of keeping people informed. Also, I don't suggest
you install Rails or Django (or any framework) from your Linux
distribution's package manager. It will be old and out of date and you'll be
at the mercy of whoever the maintainer is. In Ubuntu, for example, you may
have to install from Universe and there is no promise that you'll get timely
updates.

Now about learning a framework, you should tell us how you learn. Do you
like books, videos, instructor training? Also, do you want to learn a new
language or would you like to try out frameworks in PHP? If you want to
stick with PHP then consider Cake, which is a rails like tool (i.e. follow
the conventions, get a lot for free) or Code Igniter which gives you a pile
of highly reusable tools that you stack together like legos. They're both
great choices and you should consider them along with Django and Rails if
you decide to make a change.

-- 
Matthew Nuzum
newz2000 on freenode, skype, linkedin and twitter

♫ You're never fully dressed without a smile! ♫
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20110817/cf777d2f/attachment-0001.html>