• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Most appropriate server-side technology for a new application

 
Ranch Hand
Posts: 2596
Android Firefox Browser Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We are trying to build a new HTML5 application and need robust and scalable option for the server-side. We are not considering Java frameworks now. We need to develop robust applications quickly on the server-side. Our data would be big and we need language/technology that inherently protects against SQL injection or similar threats (we won't be using PHP). Python seems to be a good choice, but Django seems to be quite heavy-weight for what we are planning to do. We will host it on a shared server - in case that is important.  

I am contemplating using node.js but not sure if it would be the most appropriate choice. Would appreciate any pointers and inputs that could help me get some clarity. Do ask for more clarification if I have missed out something.

TIA,
- Manish
 
Bartender
Posts: 1357
39
IBM DB2 Netbeans IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, but what are your currently skills ? Doesn't the language really matter at all ?
 
Manish Hatwalne
Ranch Hand
Posts: 2596
Android Firefox Browser Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Claude Moore wrote:Ok, but what are your currently skills ? Doesn't the language really matter at all ?



Nope, not really. I am language agnostic as long as chose technology/language justifies its use and should be stable enough to actually use in production.
 
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Big Red Flag: "need language/technology that inherently protects against SQL injection or similar threats"

IMO, that's the wrong thing to be looking for if you'e concerned about security. Application security is not free; it's something you have to carefully consider and deliberately build in to your application from the start and all throughout. All languages/technologies have security issues. Choose your language/technology platform first, then do a risk assessment. If SQL injection is a risk you want to address, then learn how to do that in the language/platform that you choose. Come up with a plan/strategy for developing your application with as much security as you are willing/able to build in and see to it that developers know and follow the plan/strategy. Most of all, test, test, test. Lastly, poor quality code is virtually guaranteed to be insecure code. Well-factored, readable, and maintainable code is easier to secure and verify than poorly written code.
 
Manish Hatwalne
Ranch Hand
Posts: 2596
Android Firefox Browser Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Junilu Lacar wrote:Big Red Flag: "need language/technology that inherently protects against SQL injection or similar threats"

IMO, that's the wrong thing to be looking for if you'e concerned about security. Application security is not free; it's something you have to carefully consider and deliberately build in to your application from the start and all throughout. All languages/technologies have security issues. Choose your language/technology platform first, then do a risk assessment. If SQL injection is a risk you want to address, then learn how to do that in the language/platform that you choose. Come up with a plan/strategy for developing your application with as much security as you are willing/able to build in and see to it that developers know and follow the plan/strategy. Most of all, test, test, test. Lastly, poor quality code is virtually guaranteed to be insecure code. Well-factored, readable, and maintainable code is easier to secure and verify than poorly written code.



Yes, yes and resounding YES!!!

I had this red flag myself when I wrote that - but didn't elaborate on that one.  What I meant is this - often Java frameworks (or similar ones) use ORM and less likely to send loosely constructed SQL to DB. I *completely* understand how we should sanitize input and how to assess security based on language/technology chosen. In that sense I wholeheartedly agree with what you say.

However, based my experience with teams here, code developed by PHP developers (not all, but majority of those who I have seen working here) tends to be more prone to such issues. Again, I understand how we need to ensure security here. But without explaining intricate details of concerns, let me say that I would like to avoid PHP for this project.
 
Saloon Keeper
Posts: 27764
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Node.js and PHP are good for quick-and-dirty projects, but I wouldn't entrust either JavaScript frameworks or PHP on critical security matters. In fact, I wouldn't trust any language that didn't enforce strong typing for the simple reason that loose/dynamic-typed code doesn't reveal many of its possible bugs until runtime.

Of course, strong compile-time checking isn't the only criteria or Ada would have more of a following. While Ada could easily lay waste to a mainframe when it first came out, so could Java. Hardware advances have pretty well eliminated that objection.

I doubt that Django is any more demanding than J2EE when it comes to resources, but J2EE has a wider selection of mature pre-debugged add-ons in general and that includes ORM frameworks.

What Java is not good at is quick application development.

Actually, I determined quite a while ago that the language used to develop an app is immaterial. Over the lifecycle of a serious production application, the amount of time and resources required is remarkably consistent between most languages. The kicker is where in the lifecycle you spend your time. Strongly-typed languages require more time in the design and compiling phases. Scripting languages allow you to skip almost immediately to seeing pretty web pages, but you spend your time fixing runtime errors as they pop up, and in the case of framework-style "silver bullet" systems, any changes about and beyond the 5-minute demo level require going back in and chewing up a lot of existing code. And then, of course, there's the time spend alerting customers to the leaked credit card numbers, etc.

There is no one solution. Ultimately you decide on what you want to spend your money on and what development resources you can muster locally, make a list of candidate platforms and pick one. Or 2, since it's really not a bad idea to have a quick-and-dirty platform for prototyping before committing to a production platform - Knuth's "Plan One to Throw Away" strategy. IF, of course, you can afford the extra talents and the bean-counters' impulse to push the prototype itself into production since "you've already got it working". That's one advantage that building architects get. No one expects people to move into their little cardboard skyscraper models or run 120,000 cars and trucks a day on a toothpick bridge model.
 
Manish Hatwalne
Ranch Hand
Posts: 2596
Android Firefox Browser Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a wonderful answer Tim - very well articulated and argued.

BTW, I am seeing more and more youngsters in my team and otherwise making fun of Java and strongly advocating loosely typed languages (Python and so on), and though I have experienced their productivity and simplicity, I wish they could realize the advantages of strongly-typed languages that you have so beautifully articulated.

Thanks again! I will keep this post in mind as I choose the technology/language for this project.  
 
Claude Moore
Bartender
Posts: 1357
39
IBM DB2 Netbeans IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Node.js and PHP are good for quick-and-dirty projects, but I wouldn't entrust either JavaScript frameworks or PHP on critical security matters. In fact, I wouldn't trust any language that didn't enforce strong typing for the simple reason that loose/dynamic-typed code doesn't reveal many of its possible bugs until runtime.



I fully agree with Tim, and not only about security issues, but more in general about usage of script languages in complex projects.
I think that with the advent of OOP languages, all of us have been told that languages like Visual Basic were unfit to build large and complex system. No encapsulation. No strong type checking.
Nowadays these once seen as flaws characteristics are seen as great features, and honestly I can understand why. Ok, Java (or C++, or C#) are all but fit to quick and dirty prototyping. But I wonder how much time you have to spend when your project can't be anymore "quick and dirty", and, more important,
what hell you may fall in when you need to maintain and grow your application.

Tim mentioned Node.js, and he's right because Node.js has gained a lot of attraction. With Node.js (and not only with Node.js) Javascript become an important competitor in server-side technology... I have to admit that I'm not a Javascript expert, but having studied it and applied in some real projects, I wonder how it would be possible to write complex systems, without taking more much care than you ought to take with using Java or C# for example. When the prototyping phase is ended, I think that programmers loose all of advantages that they had adopting Javascript. Is that may be a reason why microservices based architectures are gaining popularity as well as scripted languages ?




 
Yes, of course, and I accept that blame. In fact, i covet that blame. As does this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic