TurboGears vs JSP vs PHP vs Ruby on Rails vs Webware

248 views
Skip to first unread message

VyNiL

unread,
Aug 14, 2006, 7:37:53 PM8/14/06
to TurboGears
Hello,
I've already seen who turbogears makes coding web pages easyer (as
python does with coding in general). But in terms of security,
stability and velocity: how does turbogears compares to JSP, PHP, Ruby
on Rails and Webware?. Is turbogears suitable for large scale projects?
or should we stick to the un-friendly JSP?

If someone have benchmarks it would be great, but if not ill b happy to
hear your opinion.

Thanx

Sanjay

unread,
Aug 15, 2006, 7:31:10 AM8/15/06
to TurboGears
To me, SQLAlchemy (befitting for handling complex databases) support
seemed the greatest advantage of Turbogears.

Mauricio Souza Lima

unread,
Aug 15, 2006, 9:55:41 AM8/15/06
to turbo...@googlegroups.com
Hi, VyNil.

You know this is a very polemic topic, without a specific purpose,
you cant define the better tool, so, i will post here the link to a
nice video that does a quickview and compare different frameworks:
http://oodt.jpl.nasa.gov/better-web-app.mov

[]'s
Mauricio Souza Lima


--- VyNiL <nicol...@gmail.com> wrote:


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Karl Guertin

unread,
Aug 15, 2006, 12:16:16 PM8/15/06
to turbo...@googlegroups.com
On 8/14/06, VyNiL <nicol...@gmail.com> wrote:
> how does turbogears compares to JSP, PHP, Ruby
> on Rails and Webware?. Is turbogears suitable for large scale projects?
> or should we stick to the un-friendly JSP?

Overall:

JSP - Looked at it once and said "meh"
PHP - Are you dumping from a mysql database onto a single page? no?
Just about anything is better.
RoR - Good for new projects, good marketing, enough buzz that it's
spawning a fairly sizeable community of addons, I've never used it
Webware - TG and Django (and pylons to a lesser extent) get all the
buzz in the Python community these days
Django - Better than TG on small projects with new databases
(auto-admin rocks), I prefer TG otherwise
TG - Returning dicts is genius, SA rules (skip ActiveMapper though,
not enough support for complex joins), my preferred environment for
larger projects or projects that don't work well with django's admin

Security:
JSP - don't know
PHP - poor (sqlinjection mostly)
RoR - finally large enough for security issues to work their way out,
first security patch just issued, so I'd say ok or good
Django - too new to say, expected good, it's been running on LJW for a
few years and I've never seen a mention on the list of any issues
TG - too new to say, expected good, most of the components have been
in production for a few years

I haven't seen stability complaints in any of these frameworks. For TG
stability has been fine for me for the past couple months, there was
one intermittent issue running in dev mode back in Feb/March but I
haven't noticed anything since.

Eric Larson

unread,
Aug 15, 2006, 12:52:51 PM8/15/06
to turbo...@googlegroups.com
Hi

On 8/15/06, Karl Guertin <gray...@gmail.com> wrote:
Security:
JSP - don't know
PHP - poor (sqlinjection mostly)

I think this is an extremely poor argument. If you trust Apache and consider the opportunity for SQL Injection, then it can be very secure. Of course Apache configurations can be too open, but overall, it is safe to say that Apache can be very secure.  

RoR - finally large enough for security issues to work their way out,
first security patch just issued, so I'd say ok or good
Django - too new to say, expected good, it's been running on LJW for a
few years and I've never seen a mention on the list of any issues
TG - too new to say, expected good, most of the components have been
in production for a few years

I haven't seen stability complaints in any of these frameworks. For TG
stability has been fine for me for the past couple months, there was
one intermittent issue running in dev mode back in Feb/March but I
haven't noticed anything since.

Seeing as most of these frameworks all run behind some other web server (lighttpd, Apache/Tomcat), security really becomes a question of how well a person defends against threats. I am not a very security conscious person, but overall application security is really the duty of the developer and not the platform or framework.

Good Luck!

Eric

Neil Blakey-Milner

unread,
Aug 15, 2006, 1:04:33 PM8/15/06
to turbo...@googlegroups.com
On Tue 2006-08-15 (11:52), Eric Larson wrote:
> On 8/15/06, Karl Guertin <gray...@gmail.com> wrote:
> >
> > Security:
> > JSP - don't know
> > PHP - poor (sqlinjection mostly)
>
> I think this is an extremely poor argument. If you trust Apache and consider
> the opportunity for SQL Injection, then it can be very secure. Of course
> Apache configurations can be too open, but overall, it is safe to say that
> Apache can be very secure.

PHP does make doing certain aspects of security right a lot harder than
it ought to be, especially when dealing with external process execution.

Almost every programming language on the planet that offers the ability
to execute an external program allows for you to not go via the shell.
PHP, unfortunately, doesn't. Which means you have to put quite a bit of
effort into making sure you've escaped something correctly for the shell
in use (normally /bin/sh or Windows cmd.exe, but who knows really?).

It's not fair comparing a programming language with a framework, though.

Neil
--
Neil Blakey-Milner
n...@mithrandr.moria.org
http://mithrandr.moria.org/

Reply all
Reply to author
Forward
0 new messages