C++ web app best practices

[keval_domadia]

Hello,

Due to lack of documentation and 'NO tuts available'-state of cpp for web apps, it is difficult for me to understand , per say, security aspects.
Facebook is using Hiphop PHP which has made it far more superior in handling so many requests, further after Google ditching python for cpp and Java(maybe a rumour but, very famous one) has created a drastic impact too.
There are client enquiries who ask me for the same flavour that Google is using... However, I need to know what are the consequences of using CPP for web app development?
So far by word of mouth I have heard / discussion with developers "while using php, asp, jsp, if compromised, you loose a site and possibly the server... but, when on direct cpp to c compiler, u dont loose website, you loose the entire server.... php jsp = sqli, csrf, etc... cpp = bof because, php goes via and works on diff OSI layer whereas CPP is quicker because, it has complete access to all resources" is this understanding correct?
I want to get into production with CPP for web apps. Hiphop is a good alternative however, people also suggest that it is comparatively not stable enough as cppCMS.

Please advice.

[fb1h2s]

You would be interested in looking at ISAPI extension , http://www.codeproject.com/KB/ISAPI/...xtensions.aspx

Huge site like Ebay and all run on this [https://scgi.ebay.in/ws/eBayISAPI.dll] , ISAPI had to deal with BOF kind of attacks before , I ain't heard of any latest bug in the following dll.

[keval_domadia]

Yes, this is what I concern was. The almighty Overflowing-tea-from-the-cup.
Will have a look ISAPI but, right now am not into .net (I presume it has got to do with .net)...

So, you do agree that BOF may be a threat ?

["vinnu"]

The major difference is the cgi (cpp will be compiled to executable and then executable will become the CGI) forms a process in the server under webserver, while php and other most counterparts are executed under a thread by their corresponding interpreter.

The downfalls like bufferoverflow/formatstring...etc are the problems of developers, they should code properly, otherwise there are problems with other technologies also.
We should not criticize any technology, if it is developed then it might have some features. And there is none other higher level language with such a vast features and libraries as c/c++ have.

..."vinnu"

[Anant Shrivastava]

The major difference is the cgi (cpp will be compiled to executable and then executable will become the CGI) forms a process in the server under webserver, while php and other most counterparts are executed under a thread by their corresponding interpreter.

The downfalls like bufferoverflow/formatstring...etc are the problems of developers, they should code properly, otherwise there are problems with other technologies also.
We should not criticize any technology, if it is developed then it might have some features. And there is none other higher level language with such a vast features and libraries as c/c++ have.

..."vinnu"

I agree with your point buddy,

we should not be blaming technology.

however at same point there should be a limit on using technology at correct places.

C/C++ suffers bufferoverflow and pointer related issues coz they are primerily intended for low level / system level task's. java does'nt have pointers as it wanted to be a app language. however the whole point here is use the language which you think is good then don't make a fuss out of it.


also as far as web app in c, my personal opinion i would like to do that only if i have control over the whole server.
I.E. my app itself is acting as a port 80 listener too... ....

[keval_domadia]

Thanks Vinnu and Anant. :-)

However, my main point was about the "best practices", as Vinnu said, it is developers fault and not technologies.
I agree to it, which is why I am seeking guidance from citizens of Garage to help me with "best practices" like, how to sanitize, what could be done to minimize processing time, whitespaces, etc...