A couple of things have struck me so far as I have been trying out basic tasks in PHP to get a feel for how they work. One immediate concern I have right now is database security in PHP.
The first red flag I have is PHP's insistence that you type in a username and password for the database user in the clear in your database connection code. To me this is just asking for potential trouble. Let's toss out this scenario - disgruntled PHP developer gets the boot. You now have to go and change the database username and/or password on the server in order to make sure things are secure, because that coder has the information he or she needs to get in and screw with the database, not just via PHP code, but with any client tool (assuming they have access inside your network, and let's be honest rarely is there a time when a disgruntled employee isn't that way while still being employed). Even if you code smart and just include your database connection strings in a function so you only have to make the change in one place, it's still a change that shouldn't have to be made.
Compare this to CF, which sets the database access information in the datasource creation in the CF admin. This allows a lot more internal security, as the only people that really need to know that access information are the DBA and the CF administrator (in many cases I imagine this may be the same person). The point is that you can really compartmentalize this information a lot better in CF than you can in PHP. The developers need only know the datasource name, nothing about usernames or passwords are passed along in that. In the case of the disgruntled employee, their access to teh database comes in a totally separate login that can be more quickly locked down without affect to other accounts and applications in the case you need to do so.
The other thing that so far has struck me (and I am sure that this is a pure lack of PHP knowledge on my part, but...) is that there does not seem to be a PHP answer to CFQUERYPARAM in terms of speed and simplicity for locking down your SQL queries from injection attacks. It looks like I need to dig into the mysqli() functions from what I can tell, but they don't seem as clean as CFQUERYPARAM is. File this one not so much under "PHP can't do this", but under the growing list of "PHP takes a lot longer to do this than CF".
Thoughts are appreciated on how or why this impression is incorrect.
Oct 28, 2009 at 9:44 AM @Rob,
For prepared statements I'll point you at Pete Freitag's blog. Not sure why he was looking into this as he's a CF developer as far as I remember.
http://www.petefreitag.com/item/356.cfm
Good point on datasource information. It's a lot easier and feels nicer in CF and the way it's handled. Just keep in mind that PHP is more low level than CF, it wasn't designed with fast application development in mind, more of a "here are all the tools you could ever want / not want" mindset. If you are really used to using CFC's where you've wrapped up functionality and you feel like PHP involves too much work to do certain things I'll plug Zend Framework again :P You can pick and choose parts of it to use when you feel like, instead of having a whole framework and development style forced upon you like other frameworks.
Oct 29, 2009 at 9:07 AM I know its a little more work, but I have a small script that I can run that will show me the usernames and passwords for all datasources in a CF install.
All users that I set up DB access for have limited capabilities and absolutely do not accept remote connections. That is done for any of the languages I use that require DB access.