Menu
E.g. Is it more secure to use mod_php instead of php-cgi?
Or is it more secure to use mod_perl instead of traditional cgi-scripts?
I'm mainly interested in security concerns, but speed might be an issue if there are significant differences.
707
Unlike PHP-FPM, mod_PHP locks out processes and disrupts the performance of a website. If your primary goal for hosting your web application with an optimized cloud service is to achieve optimal performance and security, then PHP-FPM is the way forward.
Benchmark Conclusions On average, the PHP version is faster than the ASP version, while the CGI (C++) version is more than 10 times faster than both PHP and ASP. The PHP version is only slightly faster than the ASP version for smaller sites, but as the size of a site grows, the difference increases.
CGI (Common Gateway Interface) is a web technology and protocol that defines a way for a web server (HTTP server) to interact with external applications, e.g. PHP. CGI enhances the web server capabilities to enable dynamic content generation and processing.
Running PHP as a CGI means that you basically tell your web server the location of the PHP executable file, and the server runs that executable, giving it the script you called, each time you visit a page. That means each time you load a page, PHP needs to read php.
Security in what sense? Either way it really depends on what script is running and how well it is written. Too many scripts these days are half-assed and do not properly do input validation.
I personally prefer FastCGI to mod_php since if a FastCGI process dies a new one will get spawned, whereas I have seen mod_php kill the entirety of Apache.
As for security, with FastCGI you could technically run the php process under a different user from the default web servers user.
On a seperate note, if you are using Apache's new worker threading support you will want to make sure that you are not using mod_php as some of the extensions are not thread safe and will cause race conditions.
157
If you run your own server go the module way, it's somewhat faster. If you're on a shared server the decision has already been taken for you, usually on the CGI side. The reason for this are filesystem permissions. PHP as a module runs with the permissions of the http server (usually 'apache') and unless you can chmod your scripts to that user you have to chmod them to 777 - world readable. This means, alas, that your server neighbour can take a look at them - think of where you store the database access password. Most shared servers have solved this using stuff like phpsuexec and such, which run scripts with the permissions of the script owner, so you can (must) have your code chmoded to 644. Phpsuexec runs only with PHP as CGI - that's more or less all, it's just a local machine thing - makes no difference to the world at large.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
