PHP the Module vs PHP the CGI Script

Some debates seem to have no end. Which came first, the chicken or the egg? Team Edward or Team Jacob? Paper or Plastic? In the world of dedicated servers, the ongoing debate is whether to use PHP as an Apache module or as a separate CGI script.

The current trend with most web hosting companies seems to be to use PHP as CGI, mainly because of the security benefits. PHP as an Apache module, on the other hand, offers faster, more easily configurable performance.

When PHP runs as an Apache module, it is compiled into the Apache code itself. This means, when an Apache process starts, PHP starts along with it. They are intrinsically linked, and PHP depends on Apache to operate. The benefit of this is that Apache tends to run very efficiently, and PHP is part of each Apache process. Furthermore, Apache configuration, particularly when using .htaccess files, can also be used to control PHP functions.

The downside of PHP as a module is also that it is part of Apache. If PHP goes down, so too goes Apache. This makes it more of a security risk, particularly on shared hosting accounts.

PHP as a CGI script means that PHP operates as an independent binary with its own processes. It is separate from Apache and can, therefore, run as another user, rather than Apache’s generic user. This increases security and adds a bit of stability, at the expense of speed.

Aside from being slower, the other downside of PHP as CGI is that users cannot use .htaccess files to control any PHP functionality. For that they must create their own php.ini files.

A Linux system administrator can configure a server to run PHP either way or both ways at the same time. When running a server with only a single web site (or a single dedicated server account), PHP as a module makes sense, as the security risk is not really a factor. When offering shared hosting accounts, it makes more sense to run PHP as a CGI script, unless there is a legitimate reason not to do so.