MNichie 0 #26 November 29, 2009 I didn't mean for him to use an IDE like dreamweaver or frontpage. Those generally create trash code that takes more time to clean up than just to do it manually. I also wasn't trying to make PHP out to be an insecure language, PHP has been proven many times over that it is a secure language, but PHP alone isn't what he needs. A new user should never roll out their own authentication system, ever. Here is my thought process, maybe I should have explained my points more clearly. A: Needs Users/Authentication 1: Needs a way to allow, User A and only User A edit content that User A posted. The TurboGears Software has these tools available. It uses Repoze.what and Repoze.who to setup the users, hashes + salts the passwords, and allows the developer to set up predicates to allow/deny function access. I can easily put "@require not_anonymous" at the beginning of function to make a user login, it will handle the session data, database lookup, login page, and redirection to last page after login. Yes, programmers should know how this is done, but new/most programmers from what I can tell, will find a way to mess it up. Repoze.* has been throughly tested vulnerabilities, I consider it a good alternative to trying roll out a custom auth system, it also saves a lot of time. Custom tables that hold info about profiles can easily be attached to the user table without comprising the security offered by repoze. B: Be AJAX friendly and all of the other web 2.0 stuff that people want. 1: dojo.xhrGET and dojo.xhrPOST, javascript functions that will convert your outgoing data into Unicode and package it up into a JSON message (like XML but quicker according to some) 2: The Dijit library in Dojo will allow the programmer to take advantage of things that he will probably not be able/want to code himself, such as complex FX effects(slides, fade, dim, tabs, resizable and movable JS popups, trees, form validation, etc). Most new programmers will turn to unknown third parties to get these effects. If you are using Dojo for the site, you know that it can be trusted, and that the code will not conflict with other code being used. C: Database stuff 1: I will probably catch flak for this, but writing out the raw SQL + connection code is just tedious. If the platform allows, tools like SQLAlchemy allows the programmer to keep the same syntax and code if they want to switch to a new DBMS on a whim (MySQL > PostGres > Oracle). It also create python objects out of query results, queries can also be tied into the repoze.* data (once again something that most programmers should stay hands off on). Sample query, items = DBSession.query(table).filter(something.id == whatever).all(), thats it, it will query, return, and package in one line. The use of model files to build the database is something that can be unfamiliar at first, but it is scary how much time can be saved if you ever want to change anything, you can also turn your tables into niffty python object for easy referencing. At the end Python might not be right for everybody, but choosing PHP because it is what everybody uses is just silly. LAMP proved to be a great system, but systems like Django and TubroGears are a viable alternative. Side note if you do go with PHP, as of PHP 6.0, "magic quotes", will not longer exist, that PHP book from a couple of years ago that you mentioned will probably talk about them, just ignore anything you see about it. Quote Share this post Link to post Share on other sites
DigitalDave 0 #27 November 29, 2009 PHP by itself is not necessarily a secure language. It's no more secure than any other high level language. All languages offer the programmer ample opportunity to code in security flaws. But, suggesting that a new programmer use pre-built libraries and CMS's with tons of publicly available and exploitable code to setup their website is wrong. Quote I didn't mean for him to use an IDE like dreamweaver or frontpage. Those generally create trash code that takes more time to clean up than just to do it manually. As do most, if not all CMS's. QuoteThe TurboGears Software has these tools available. It uses Repoze.what and Repoze.who to setup the users, hashes + salts the passwords, and allows the developer to set up predicates to allow/deny function access. That can be done with a call to MD5 and an IF statement on a $_SESSION variable. Quote 1: dojo.xhrGET and dojo.xhrPOST, javascript functions that will convert your outgoing data into Unicode and package it up into a JSON message (like XML but quicker according to some) Awesome .. It knows the PHP unicode_decode function. I'm not sure how that is even relevant in the scope of this thread, but ok. QuoteThe Dijit library in Dojo will allow the programmer to take advantage of things that he will probably not be able/want to code himself, such as complex FX effects(slides, fade, dim, tabs, resizable and movable JS popups, trees, form validation, etc) Using Javascript for form validation is simply wrong, and is in no way secure. Quotebut writing out the raw SQL + connection code is just tedious. If the platform allows, tools like SQLAlchemy allows the programmer to keep the same syntax and code if they want to switch to a new DBMS on a whim An SQL query is the same no matter what SQL DBMS you use. Granted there are slight sytactical differences, but "SELECT * FROM my_table;" works the same in PostGres, Oracle and MySQL. Regardless, I have never seen a web dev decide to switch from MySQL to Oracle on a whim. The small difference of forty thousand dollars usually seals that deal. Quote LAMP proved to be a great system, but systems like Django and TubroGears are a viable alternative You're comparing an operating system, webserver, scripting enging and DB to CMSes that uses the Python language. This doesn't even make sense. Apples to oranges. Quote Share this post Link to post Share on other sites
PhreeZone 14 #28 November 29, 2009 Quote Not trying to derail the thread, but you seriously aren't saying that PHPNuke and Joomla are secure are you? They are not that secure of a platform compared to a lot of other commercial programs out there but they are usually head over heals more secure then most home written applications by newer programmers. When you are looking at a difference between a open source platform that has a few bugs but is regularly patched and updated to include security fixes versus a home coded application by someone that is asking what language needs to be used and has no experience in the language... its a simple call in my opinion unless this is for a commercial application and then a question like that would not be asked on these forums. The way I'd look at is as a single programmer non commercial job you can either take the months needed to learn SQL, PHP, AJAX and Java only to start to lay the design which probably will have major holes in it or you could take the framework laid out by a CMS and then supplement the code with your own to add features as the project is getting stood up and implemented.Yesterday is history And tomorrow is a mystery Parachutemanuals.com Quote Share this post Link to post Share on other sites
skittles_of_SDC 0 #29 November 30, 2009 There is a lot of information in here as well as varying opinions I have to sort through. I'm not even sure my idea is viable. I actually finished the mock up finally. If anybody would be willing to take a look at the mockup and my explanation of how I want the site to act I would appreciate your opinion. Quote Share this post Link to post Share on other sites
skittles_of_SDC 0 #30 November 30, 2009 When I say mock up I mean completely graphical done in Illustrator with notations on how I would like the website to function. Quote Share this post Link to post Share on other sites
