If you want to make a pizza, you have to use the pizza dough in order to make a gourmet masterpiece. From the perspective of web development, a framework is like the dough and plays a role of the base of your web application, software, or web service. You have a wide variety of choices and options in making a pizza. In the case of web frameworks that used to build a web application – the situation looks quite the same.
In this chapter, I want to discuss two of the biggest web development frameworks that are used today – Laravel vs Django and I would like to try to make a fair and objective comparison of them. But first, I think we have to recall the concept of a framework and introduce our competitors first.
A framework is a skeleton, and the developers and designers build awesome applications with different features on this skeleton. You can use it as an abstract tool when you need to reuse code or need some help with application development. A framework contains some codes and pre-template structure. The user interface is not necessarily included.
However, Django (as well as some frameworks like Django) comes with an administration interface. But in a lot of other cases, the developer has to write a new code, so it will be used in the interaction with a variety of frameworks features. It is significant when it comes to the choice of the right framework for the project that you are working with. With its help, you can make your code easier and faster and forget about deadlines.
Web development frameworks and their types
There are a lot of different frameworks at your service. They all are different but come on the same basis. A large part of backend apps (web apps, web services, and software) are come based on frameworks. They come in two different types:
- Web frameworks. These frameworks are aimed to help a developer build web-orientated apps, like complex AJAX applications or simple blogs with media galleries, large database, social-media share buttons, dashboards, menus, etc. It really helps, when it comes to speed up your work process.
- Software frameworks. It is a part of a bigger software framework, where specific functionality is provided by selection and overwriting of the common code that provides common functionality. Such framework contains default behavior, inversion of control, extensibility and non-modifiable code. You are free to use different tools in order to perform specific tasks. Due to this, you can focus on the logic of your application and its original idea and philosophy, without wasting time on routine.
What is PHP framework Laravel?
With Laravel, you can simplify your work process and build PHP-based web applications that you want. It clearly follows the model view controller and object-oriented approaches. Because of its useful features, Laravel is one of the most preferred web frameworks in the world.
Companies using Laravel
Notable open-source Laravel projects
Cachet. A good choice, if you are looking for a status page system for your website or API;
Invoice Ninja. A good time-tracking, expenses and invoicing app;
Koel. A good instance of personal music streaming server;
Canvas. As a developer, you'll not regret this minimal blogging app.
Probably the only framework to pick up for PHP;
As a developer you will have a brilliant understanding of programming;
The indispensable work with standards;
Shared hosting is not supported;
Does the excessive query on databases. For example, if you're using Google Clouds Database, you'll lose some time on it.
Django, the unchained framework
Probably, the most popular framework from Pythons league. Its flexibility allows the developer to use Django almost anywhere and for anything. It follows two patterns:
Model View Whatever (MVW);
Model View Template (MVT).
There are a lot of popular websites that have backend built with Django. It is notable that NASA uses Django on the official sites, which says a lot about its security. You can learn more about Django in our previous article.
- You can develop a simple prototype surprisingly fast;
- Tons of plugins built over the years;
- A great customization;
- A solid community support and large documentation;
- Data management is also simple;
- Open source.
- Can feel bloat from the small project perspective;
- You have to be known with regular expressions for routing;
- Weak templating;
- The whole server will restart because of autoreload.
The current number of websites that are based on Laravel is 102,048, the market share is 1.32%. At the time of writing this text (May 2018), there are 3,443 websites added and 1,576 websites were dropped (or 45.77% of all websites that was added in May).
Let's take a look at some charts:
Alexa top 1M
As we can see, Laravel holds the strong 3rd together with Raven.js. Jquery 2.1.1 and Ruby on Rails are far above the sky by a factor of more than 1.5.
Let's use our “microscope” and set up our zoom x10:
Alexa top 100k
According to this cross-section of the top global sites, Laravel feels more confident and goes nose to nose along with top dogs like Vue.js and Express.
Let’s take a look at some of Django’s charts:
Alexa top 1M
Looks like Django is settled just between Vue.js and Laravel.
Alexa top 10k
In this sample Django shows a good result, sharing its position with Vue.js and Express, not so far away from Raven.js. Unfortunately, Laravel is not in this top six club.
What about the freelance market?
Budget: less than $100
$100 - $500
$500 - $1,000
$1,000 - $5,000
Developers found (hourly $)
(12,441 independent freelancers \ 1,006 agencies)
(24,425 independent freelancers \ 4,120 agencies)
$10 and below
$10 - $30
$30 - $60
$60 & above
Python is quite fast language, that's why Django can be considered as a pretty fast framework. Let's take a look at benchmark:
* represented numbers here are requests per second during tests.
Here you can consult the next benchmarks:
As we can see, Django is pretty fast and demonstrates its speed in each and every test.
Both Laravel and Django widely used software, but like any framework, they have their own significant vulnerabilities. Both of these frameworks can be extended with a wide range of app plugins for additional functionality. Despite the fact that Laravel is not that popular in terms of open source projects, Laravel and Django can be attacked from different vectors.
The application layers are the exact target for hackers, so if you are running full stack PHP or Python, note that they have their own vulnerabilities, nearly incomparable to other languages and their frameworks.
Let’s take 8 examples for each framework and let’s start with Django!
Django security vulnerabilities
Session Modification. (Django 1.2.7 and 1.3.X until 1.3.1). Probably your session details are contained in the cache, in this case, root namespacing is simultaneously used by app-data keys and session identifiers. Hacker can modify that session with a key, which is equal to the identifier of your session;
Cache Poisoning. (Django 1.4 and 1.5.x (with further exceptions)). Such penetration can occur, if you insert incorrect data into cache that is related to a DNS resolver. Because of it, nameserver can provide wrong destination or IP address. Mentioned versions of Django do not include (properly) the Vary: Cookie. It is a cache-control header in your response. Due to this fact, hacker can poison the cache and\or obtain your information;
Session Hijacking. (Django 1.4.14, and 1.5.X). Such attack allows attacker to get an unauthorized access to your system via session data, related to other user. If users are using contrib.auth.backends.RemoteUserBackend, they can hijack web session with ‘REMOTE_USER’ header related vectors.
DoS Attack with Unspecified Vectors (Django 1.8.X +). DoS is for Denial of Service, e.g. attacker brings down your website or network via data packets flood. Mentioned versions of Django come with validators.URLValidator that allow a hacker to cause a CPU consumption with unspecified vectors.
Type Conversion Vulnerability. (Django before 1.4.11 and after 1.5.X). Mentioned versions do not properly perform next type conversions:
Due to this fact, attacker can get access to unspecified vectors that are related to MySQL.
Arbitrary URL Generation. (Django 1.3.X +). Because of function called django.http.HttpRequest.get_host, hacker can display and generate arbitrary URLs with crafted password and username.
Directory Traversal. (Django 1.1.X, 1.2.X). These versions weakness allows hacker to read and\or execute with a ‘/’ character in a session code’s cookie that is related to session replays.
CSRF: Forged Requests. (Django 1.2.7, 1.3.X, except 1.3.1). This attack forces the browser to perform any action on another site, where user is signed in. These versions of Django come with a weak CSRF protection. This protection doesn’t handel server configurations properly, so remote attacker can trigger forged requests by web page, which contains JS code and vectors, including DNS CHAME record.
Laravel security vulnerabilities
1. file_get_contents(). With this simple function, intruder can get content of your file:
However, if attacker wants to go further, he can get file name from the server:
With this function, intruder can read file from the server and get its content.
It’s quite difficult to detect this vulnerability, so be careful!
2. Double form submission. Your PHP script can be executed twice because of double-click on the submit button. Needless to say that it can result in big problems.
3. File upload into public_html. Basically, intruder can upload executable file (.php, for example) into public_html. Let’s leave possible consequences on your imagination.
4. ZIP bomb. There are websites, where you can upload .zip archives, then you can extract it and do whatever you want with those files. The trick is that you basically can upload archive that takes only 40 KB, which grows up to 4506742 GB of space. Sounds like a nuclear explosion inside your server, right?
5. CSRF. Just like Django, Laravel has some weak points when it comes to cross site request forgery. Image a picture that there is a link on the website, with which user can remove his account, like that:
… and what will happen, if hacker will post some comment on the website… something like this:
If user clicks the link, he’ll delete his own account.
6. ClickJacking. This one is aimed to make user click where he definitely don’t want. Like the invisible Twitter retweet button just on top of “login” button.
7. Injected SQL. The most famous vulnerability. Hacker can input his own SQL right into your code. If you have something like this one:
And if anyone enter this into e-mail field: 1 OR 1. The query will change and look like this:
In other words, we’re just deleted each and every post for each and every user.
8. Cross Site Scripting. It kinda looks like a previous section. You can inject JS\HTML code into HTML page. For example, if we’ll look at the search engine page (like Bing or Google), the result page will show what you are looking for:
If hacker enters this:
Looks like both of Django and Laravel have their own security issues, but it is possible to protect your website in the best way possible. Safety first!
We decided to pick the trickiest part, so we can relax lately. In the case of Laravel and Django, it was difficult to understand, which one is easier to start with. I'll try to sort out features that play a central role.
Templating is pretty simple with these frameworks, due to the fact that both of them provide well-made templating engine.
Routing is an important aspect that is provided by backend framework. In the case of Django, it could be pretty harder (you have to learn about regular expressions). With Laravel, you can simplify your work with routes. Let's take a look at simple examples:
You can use Laravel and create an API in a simple way. It returns JSON format for any database query. Furthermore, developer can separate his API endpoints, if he places the routes in another file, which is provided by Laravel.
With Django, you have to use REST framework if you want to work with structures that allow you to create API.
The project structure is well-made for in both Django and Laravel, with one little exception: Django offers you separate directories for your applications. Which is not provided by Laravel.
Speaking of features. As I mentioned in the previous section, it could be difficult to create API with Django. But, you are free to use its built-in decorators, such as has_permission, require_POST, and login_required. Another one feature – is the admin application that allows user to build a site area in automatic mode, as well as view, create, delete or modify current records. This may help you speed up your development!
Laravel comes with an elegant ORM (object-oriented mapper). It also has a neat bundle modular packaging system and different dependencies. These will help you modify and update your applications, especially when it comes to Laravel 3.
The bottom line
Basically, this article was more about the advantages and disadvantages of PHP and Python, their frameworks acting as a collective image. We learned that Django helps developer create and launch his platform quickly, without the mess. It is also well-secured and protects from SQL injections, clickjacking, cross-site scripting, etc. Meanwhile, Laravel has a low barrier to entry for beginners, especially when it comes to routing, where Django has a weaker position.
As I always recommend: try both! But now you (I hope, at least) understand how they differ and what is worth drawing attention. Remember, Django is mature, well-made and stable, but a little bit conservative. Laravel is younger and still goes through growing period.