3

I am building a website using PHP and a mySQL database. The website now has a login/register functionality and profiles with walls could be visited. On the same website, I want to build a big chat application using websockets. This chat should host a dynamically expanding amount of chat rooms (could run into thousands) of medium-sized groups (+/- 25 people).

I've been considering node.js to run websockets with, but I only want to use node.js to handle incoming messages and broadcasting. In addition, I want to save the incoming messages in the database using PHP. I want to use http calls in the node.js server file to handle this, as described in http://docs.nodejitsu.com/articles/HTTP/clients/how-to-create-a-HTTP-request. I also want to use http requests to get properties of the user (for example name and profile picture), so these could be displayed to other users in the same chatroom. I do not want to handle this client side, as the user could then easily pretend to be someone else.

Both the php website and the node.js server run on localhost. The website runs on 127.0.0.1:80 and the server on 127.0.0.1:1337.

My question is, is this approach save? Are there any security risks in doing http requests on a node.js server to send/receive data from the database? Is it a good idea to run node.js next to a PHP website, or should I build my website purely on node.js? Are there any other alternatives?

Renato Gama
  • 14,702
  • 11
  • 52
  • 86
Guido Passage
  • 870
  • 1
  • 9
  • 15

3 Answers3

2

Is this approach safe?

Sure. I mean technically, sure. It's no more unsafe than any of the technologies individually. It does, however, make your architecture a bit more complex which may marginally lead to more human error and bugs or security issues. But that's more about humans and complexity rather than the tech itself.

Are there any security risks in doing http requests on a node.js server to send/receive data from the database?

Nope, not more than any other backend technology. It sits behind a webserver, runs code that may or may not access a database and returns a response. Plenty of production websites are running node.js without any security issues.

Is it a good idea to run node.js next to a PHP website, or should I build my website purely on node.js?

That's tough to answer. I think overall a simpler and more maintainable pattern is too keep things in one place and technology. But as applications grow it's actually very common to remove standalone parts and implement them on their own in their own best case way. Usually this has as much to do with performance, separating high traffic systems from low traffic ones, as it does with the capabilities of the tech itself.

But this usually comes into play when you have multiple servers with different roles. With smaller projects, there is usually less value.

I don't know if that answers your question, but in short: It's not inherently bad. It depends.

Alex Wayne
  • 145,435
  • 42
  • 271
  • 302
  • Then I think it would be a consideration between rewriting a lot of code to make it work on one technology, or just continue using PHP and building a node.js server next to it, risking more bugs/traffic. An alternative would be long polling or short polling with AJAX, but websockets seem to be a much better approach. Thank you for your answer. – Guido Passage Nov 12 '12 at 23:57
  • No problem. After thinking on it a bit more I would conclude that good programmers will be able to take either road and do it well, without issues or complications. There isn't a clear right answer here. – Alex Wayne Nov 12 '12 at 23:59
  • Then I think I'll continue using PHP and node.js next to each other, as it would take me too much time to learn node.js and I'm already reasonably experienced in PHP. – Guido Passage Nov 13 '12 at 00:03
0

I don't think there is anything inherently unsafe with mixing Node.js and PHP/Apache. It's just like running multiple programs in your computer, they have their own space, listen to their own port and don't talk to each other directly.

But I would personally be more concerned about server resources (how fast is your CPU? how much RAM?). It would definitely be more efficient to build your website on just one platform. But depending on what you are building, it might be okay to have both.

From the benchmark I've seen, Node.js is more resource hungry than Apache. But Node.js is also very fast for certain applications.

pixelfreak
  • 17,060
  • 12
  • 84
  • 106
  • The website will later be running on a VPS. This would mean I'd have to get a more expensive VPS service, or I would have to rewrite a lot of code to make my website run on node.js. I've also considered phpwebsockets but I couldn't get that working. But good to hear that it is not unsafe: I've also considered using AJAX, but I've read that using AJAX with node.js is unsafe: http://stackoverflow.com/questions/5373987/how-to-use-jquery-ajax-calls-with-node-js, that's why I wondered if http requests are unsafe. Thank you for your answer. – Guido Passage Nov 12 '12 at 23:49
  • AJAX is not unsafe... Cross domain ajax has potential to be used by hackers, but browsers dont allow that without very specific and explicit contracts about how the data will be exchanged. [See CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). – Alex Wayne Nov 13 '12 at 00:01
  • AJAX is just an HTTP request, just like when you type the URL in the address bar and hit enter. There is nothing unsafe about AJAX and Node.js, you are confusing the two. Cross-domain AJAX is what the post is referring to. – pixelfreak Nov 13 '12 at 00:03
  • I think I misunderstood the thread. I thought it would be cross-domain AJAX if I had to request my php server on my node.js server. – Guido Passage Nov 13 '12 at 00:07
  • Cross-domain AJAX has nothing to do with the platform the server is running. It's about domain. For example: "google.com" -> "yahoo.com". In your case, a different port is also considered a cross-domain call. – pixelfreak Nov 13 '12 at 00:20
  • show some support to meteor.js or derby.js. chat room suit the way they work. – wayne Nov 13 '12 at 00:41
0

I run PHP and nodejs in tandem for production and it is no less secure than any other CGI backend. The one thing no one has mentioned is that Nginx doesn't support WebSockets yet, so binding Nginx to port 80 is not going to work if you want to support both a PHP application and a nodejs application using websockets.

See my answer here for my solution: nginx vs node-http-proxy

EDIT: As of version 1.3.13, Nginx supports web sockets. Nginx has now taken back its rightful place on port 80 of my production stack.

Community
  • 1
  • 1
srquinn
  • 9,083
  • 1
  • 42
  • 53
  • this article, http://webandphp.com/IntegratingNode.jswithPHP, says websockets are possible with Nginx if you switch protocols, have not tested it! – Richard Oct 01 '13 at 07:10
  • @Richard Yes, version 1.3.13 and beyond now supports websockets and as a result, I now use Nginx as a reverse proxy for both by Nodejs apps and PHP apps. – srquinn Oct 02 '13 at 13:48