"Little Johnny Tables". Um, yes, that was "Little Bobby Tables" [1]. Obviously not a big deal, but it seems emblematic of how sloppy this piece is. The article confuses – seemingly willfully, since Paul Vixie should know better – the concepts of dynamic language, dynamic page generation, lack of proper input hygiene, and various other orthogonal issues. The argument that dynamic languages are less secure depends an awful lot on the language – I don't think anyone is going to buy that C is more secure than Python. Haskell vs Python? Now that's a debate to be had. Certainly, websites that do no dynamic content generation are probably more secure – but then you're stuck with the Internet circa 1993. And of course, nobody is in favor not sanitizing inputs properly.
> The article confuses [...] the concepts of dynamic language, dynamic page generation, lack of proper input hygiene, and various other orthogonal issues.
One of the implicit point of the article (that maybe shouldn't be implicit) is that these issues are not, in fact, orthogonal.
For example this:
Most of the computer languages used to write web applications such as DCMS systems contain a feature called eval, where programming instructions can be deliberately promoted from data to code at runtime.
In other words, proper input hygiene is a problem because you're dealing with a language that allows execution of data (i.e. a dynamic language).
I was talking about which is more secure. The real point is that this isn't a static vs. dynamic language issue: C and C++ are static and full of terrifying security traps; Haskell is static and it isn't. Since C and C++ are the most commonly used static languages, and they are much less secure than the most commonly used dynamic languages, it's questionable to claim – without additional elaboration – that static is more secure than dynamic.
C++, especially when using features provided by the newest standards (C++11 and C++14), cannot be likened to C in terms of security problems. In theory, yes, it's backward compatible with C so any security issues present in C can be reconstructed in C++, but using managed pointers, standard containers, RTTI and other features can considerably reduce the attack surface... but I'd argue that not a great amount of applications could benefit from being written in C++ vs. some safer language.
> using [...modern C++ features...] can considerably reduce the attack surface...
I'd argue the remaining attack surface is still wide enough to drive a shuttle crawler-transporter through. Even if your core code is perfectly tricked out with best practices, you're going to inter-operate with 3rd party APIs with C style interfaces at some point - and that means raw pointers, rolling your own containers / RAII wrappers, etc.
He's trying to pick on Paul Vixie for such a irrelevant detail. The fact that he had to mention it to boost his ego makes the rest of his post not worth reading.
edit: I also enjoy the reaction of HN readers. It's fun. People take this site too seriously.
Absolutely; he's right. You should not mix data and code. That's the reason why my own site(s) are all static, and my website does not look like it's from 1993. (just kidding, it does intentionally, but my blog is Pelican)
You can still write a static site that talks to a database and can accept form input for users to login and do things. It's not impossible. There's no reason to require every page view to be dynamically generated. We invented countless types of caching software to make dynamic sites as static as possible! Why is it illogical to rip out the dynamic piece altogether and use a static site generator for (nearly) everything? Why does every page view have to hit a language interpreter or virtual machine? It doesn't!
It shouldn't!
Do people believe that websites can't use databases without being dynamic? That's the only explanation I have here.
edit: I have seen the other end of the spectrum -- a 10 million line PL/SQL CMS that dynamically generates the entire website -- HTML, JS, CSS -- from an Oracle database. Even the static content was in the database as blobs! Everything served through the Oracle Application Server (Apache with mod_plsql or mod_owa, which rarely got updates) and had no chance of scaling well. But people paid out the ass to license it!
Calling any Turing complete language "more secure" is probably nonsense. It is possible to write secure applications in C, and it is possible to directly pipe attacker controlled input to a shell in Haskell.
I know a total of zero working security researchers who think C is just as safe as Scala.
The obvious flaw in your example: you can exec a program unsafely in both C and in Scala, but only in C can you do it accidentally simply by idiomatically copying a string from one place to another.
My claim is not that C is just as safe as Scala, my claim is that the comparison is only valid if you do not think too hard about it. If you implicitly assume some web app, not too experienced programmers and a typical budget, then Scala is less likely to contain remote code execution bugs. But if you worry about timing attacks, then it looks a lot better for C.
FWIW, idiomatically copying a string in C is done using strncpy, and that doesn't introduce any RCE bugs. I would not in my right mind defend the premise that C is just as safe as Scala, but the truth is that sloppy programming can do harm in every language imaginable. It just becomes about damage control.
Even when you don't get it wrong (i.e., no out-of-bounds writes), you can still get out-of-bounds reads because strncpy does not always null-terminate strings. C strings suck.
History says that security is a process, not a product (or artifact). I get it that C can be difficult. Pointers allow NULL dereferencing and use-after-free, strings are open to poor handling, etc. That said: we have OpenBSD w/ their re-written string/memory management and static and dynamic analysis tools with decades of development behind them.
I'm more hesitant to crucify C than I feel others are... are we throwing out the baby with the bathwater ?
To your comment -- that a C program is probably not secure -- most code written (regardless of language) is probably junk, with different classes of errors. Its tough.
A lot of people already knew that stuff on one level or another anyhow, but it's helpful to spell it out sometimes and bring subconscious feelings up to the conscious level.
I'm not concerned if a web app or a shopping cart is dynamic. But I see dynamic blogs all the time. Blogs with no comment system, or one that's used infrequently. What's the point of making that dynamic?
While I'm on the subject, can anyone tell me the reasoning behind loading blog content with javascript? I hate when I visit a blog with no script turn on, and get greeted by a blank template. Why does it need javascript to grab the page content?
The point of making a blog dynamic is so a non-technical user can easily manage the content via a dashboard. I'm a big fan of static site generators (which is what I presume you're inferring people should use for blogs instead of wordpress et al), but it is silly to think that uploading markdown files to a server is a reasonable workflow for most non-programmers.
As for loading content with javascript -- I totally agree, this bugs the shit out of me. Also, I browse with cookies disabled by default and it is always frustrating when a site that is only serving content doesn't load properly without cookies. wtf?!
I'm not advocating static page generators that use markdown. Far from it. I used to use a blog platform called Movable Type. It was just as easy to use as WordPress but it generated static pages. You'd make changes in the back end, click publish, and Movable Type would generate a new static page to serve up.
You can make WordPress generate static pages too. They have plugins for that.
ahh, I see what you mean. Yeah, if you don't have comments or other interactive functionality then generating static pages from your data + templates is great.
That being said, in my experience, most sites have at least some interactivity... even if the primary content isn't. Comments are still pretty standard on most blogs (disqus can be an option, but now you're back to the "why does this require javascript when it doesn't really need to?" problem). Surveys and polls have fallen out of fashion (fortunately), but that's another example. Also, contact forms are a big one (and yeah, there are other options like embedding wufoo or using a form-handling service like Brace Forms, but now we're talking about off-loading a lot of functionality to other services).
As a developer, there are a lot of things about wordpress that I don't like... but I cannot argue that for someone who is not a programmer but likes to tinker, it gives you a ton of functionality out-of-the-box or with plugins. It's the last thing I'd want to use personally, but I think this is the appeal of dynamic sites -- it gives you the flexibility to add all sorts of unrelated crap really easily.
I used MT for years. Versions 4 and 5 had various problems, coincidental with various changes at the parent company, SixApart. (At one time they had three blogging products: Vox, TypePad, and MT.)
I've been searching for a suitable replacement ever since MT 4. I tried to switch to WordPress but hated it. Maybe just preferences, but I've never warmed to WP, in spite of trying each new version that launches.
I see that Byrne Reese, former SixApart employee and co-founder of the MT-based OpenMelody project, is now using Ghost.io for his blog. That's the system I'm testing now as well. (Have used Tumblr in the meantime, with some success.)
The more resources you can cache fully (like the template) the fewer round trips you need to make and/or the shorter those round trips become. It's always the latency that slows us down (by definition), which is why even modern processors have sophisticated cache layers and branch prediction. The further from the CPU the resource is, the slower the interaction will be.
This debate is interesting and a bit funny to me because it's very similar to the old dumb terminal vs personal computer debate. We've swung back to the mainframe, except now it's distributed and we call it the cloud.
My prediction (take it or leave it) is that we'll soon be swung all the way back to dynamic client-side sites. And then eventually back to the quantum cloud (heh, "Electron Cloud"). Or something new and more powerful than whatever sits in our pocket or on our desk.
Thanks for answering my question. Would you mind clarifying it for me?
If your blog has a reusable template, wouldn't the images, fonts, and stylesheets that are part of the template get cached on the user's computer, regardless of whether it was dynamic or static?
Or are you talking about caching things serverside?
I think he means that you can cache the majority of the page (including the HTML template) and then substitute in just the data (usually coming from JSON). I don't buy that it's more efficient personally. I'd rather resend a lightweight page on every time then force the browser to download it all, load the JS, then build a page and have the browser draw that.
It seems to me that single-page apps are great when you aren't leaving the page and have a lot of navigation, but overkill for a blog.
I am rather interested in react+react-router though. That seems like the best of both worlds -- render serverside, then render deltas clientside.
There's one technology, available everywhere including most toasters, which allows you to do this (cache HTML template and just substitute the data) and it can work on both back- and frontend with no problems, is crazy fast and even leaves you with something readable when it breaks.
It's called XML with XSLT.
Somehow it isn't very popular. But hey, we got this idea of "rendering pages on the backend or the frontend (or both)" from the same code lately!
Also, fast compared to what? Many options are fast if all you do is replacing some values. Static pages can just be written out from memory or disk, a whole nother level of fast :)
I’ve gone down this rabbit hole and aside from fluid navigation, it isn’t worth the hassle. Since the content is largely text which will be transformed into HTML (before or after being sent down the pipe), the size difference is mostly negligible.
Time is better spent cleaning up the critical rendering path, deferring styles and scripts.
I've been an evangelist of static sites for a while. With over 15 yrs of experience doing sites I started in static and saw the "dynamic movement" born and grow (at some point I even programmed my own DCMS!); in most cases the motivation to install a DCMS was that the client wanted to update content in-house instead of paying a webmaster (a sound business idea?) but the reality is that even when using a dead simple DCMS clients always find it difficult to run it and still contact the webmaster. Furthermore, the vast majority of sites are seldom or never updated so having the 'kick me' sign in those cases is nosense. I guess a strong selling point of DCMS that made us all buy in even knowing that it was a bad idea where themes and plugins! So many of them, so nice looking, cross-browser tested and so easy to install. Clients where über happy with the end product.
So a couple of years ago I decided to do static sites for ALL my clients (there may be dynamic components that I normally implement with a back-end data service). I still have a few dozen sites and web apps with DCMS but the goal is to migrate them as well.
The best mix may be a (hosted) dynamic editor that generates and deploys the static site. Have you considered this solution? It probably won't eliminate the need for a webmaster, but it should help reduce the requests for small changes while keeping the benefits of the static site.
I think I tried a blog engine once that did this. Maybe it was https://movabletype.org/ ? In any case, I really wish more people/tools employed this strategy.
I think more devs will adopt it when we have plugins and themes that can be installed with a click! So far I have been able to adapt HTML themes to a front-end MVC (Angular or Backbone) but it is a long manual process...
Yes I agree, that is what I use now, in fact I have an additional layer: the static CMS generates JSON that in turn is fed to an front end MVC to render the pages. Assets are uploaded to AWS so I can use/reuse them. I am also serving sites directly from AWS S3 so there is no server to deal with at all. Everything dynamic can be done with SAAS/PAAS (comments, email, form collection, etc). Any static CMS that you recommend? I am using a (very limited) house blend for now, I call it Statico ;)
I agree, this way seems the best. The reason people like WordPress so much is because it abstracts away everything except writing content. Users don't care how the site is served (and most nontechnical users won't even know).
Ok, I understand that there's reasons for using static pages, but I don't get the feeling this guy really understands what he's talking about.
> Even if [..] and there's nothing like bash installed on the same computer as the web server
Bash installed? Huh? Why Bash exactly? I feel mentioning jails or containers here would be more on point..
> This is because every DCMS page view involves running a few tiny bits of software on your web server, rather than just returning the contents of some files that were generated earlier.
Sure, but guess how those pages are returned? By running code on the server..
It seems like hes real beef is with "dynamic" (vs staic) sites, but he keeps mentioning CMS's for some reasons (ike you can't can have "dynamic" sites witjout a cms)
> The web server executes no code on behalf of a viewer until that viewer has logged in..
1) Of course it does, 2) How do the site check your info without executing code? :)
etc etc..
There's a case for static sites, but this post just confuses things.
> Sure, but guess how those pages are returned? By running code on the server..
Yes, but by running static code.
> > The web server executes no code on behalf of a viewer until that viewer has logged in..
> 1) Of course it does, 2) How do the site check your info without executing code? :)
Again, static code.
So his point is not that we shouldn't run code at all, but that we shouldn't run code that heavily processes user inputs, or worse, evaluate generated code as DCMSs sometimes do.
Of course you can argue the no code is truly static, because it depends on the user input, but I don't think this is what you're arguing here.
> of course you can argue [that] no code is truly static
what the hell is static code? Static has very specific meanings in different technical contexts (static pages, static allocation, static scoping, etc), but I've never heard someone refer to static code.
Can you give me an example of code that is and isn't static by your definition?
Dynamicity usually refers to the fact that you can execute code that wasn't fully specified at runtime.
Lisp code is the stereotypical example of a dynamic programming language because it can update its own code while being executed.
On the other hand, compiled C code is static because the code is loaded into memory and cannot be changed during the execution (as a matter of fact, the memory pages holding the code don't have even have write permissions).
Btw, you can make it more dynamic by enabling dynamic libraries or modules which make the whole thing less secure.
In a static program, you can only execute code that was originally provided (at least in theory), that makes it harder to accidentally execute a piece of code provided by the user as input.
Back to our problem: A dynamic website will typically take user input (e.g. the user name) and build a personalized view of the webpage for the user. To achieve this, the page will probably contain a SQL query with a 'name' field. If the inputs are not properly sanitized, the field can contain anything including SQL code. If the user is malicious, you have a SQL injection (i.e. the user can execute an arbitrary query). What happened is that you've executed code provided by the user.
> Dynamicity usually refers to the fact that you can execute code that wasn't fully specified at runtime.
As in eval()'ing code based on user input? That's pretty crazy, and I don't think (hope) a lot of real world security problems are caused by that!
> Back to our problem: A dynamic website will typically take user input (e.g. the user name) and build a personalized view of the webpage for the user
But this has little to do with the language, right? Now we're are talking about handling user input, which can be dangerous. The OP seems to get this confused as well, which is one of the reasons I claim he's not exactly an expert.
A TLDR of the original article: "Handling user input can be dangerous, it's safer if you don't." But we already knew that...
As far as eval()ing user input, well, just grep your code for eval(), no need to change language.
> As in eval()'ing code based on user input? That's pretty crazy, and I don't think (hope) a lot of real world security problems are caused by that!
His claim is that the mere fact that the language contains an "eval()" function (which is a feature of dynamic languages) inevitably increases the risk.
Quoting:
Most of the computer languages used to write web applications such as DCMS systems contain a feature called eval, where programming instructions can be deliberately promoted from data to code at runtime. [...] but when it is left accessible to unskilled or malicious users, eval is a recipe for disaster.
> A TLDR of the original article: "Handling user input can be dangerous, it's safer if you don't." But we already knew that...
I would say:
1. DCMS are bad for public facing webserver because they process user inputs with a language that supports function as powerful as "eval".
2. DCMS are bad for public facing webserver because they run slow interpreted which is "1000 times" slower and enable DDOS
None of the things on that wikipedia page makes me think he actually knows anything about web servers. Sure, he obviously should know about some of the things that make the internet work (BIND, cron, etc) but nothing on there has anything to do with making web sites. All of it is about the infrastructure.
Either this article is filled with intentional hyperbole, or this guy doesn't know what he's talking about when it comes to serving web pages.
Ordinarily I'd be bristling at a comment like this, but you are articulating some stuff --- a little rudely, but still --- that I believe about Vixie as well. I won't pretend not to have noticed and let you take all the heat. Paul Vixie's reputation among software security people is a little bit fraught.
Maybe, but doesn't that require that the attacker can set ENV variables for the executed bash command? I'm sure it happens, but it seems unlikely to be a major concern for most dynamic sites?
(I'm not arguing against the notion that static sites can be more secure, just that the article is bad ;)
I don't know a lot about it but I do remember reading that if you are using bash to process CGI or bash is spawned by a process that is handling CGI then the env is augmented with variables containing the contents of the http headers sent back by the client - thus giving an attacker a way to add to the environemnt.
Again, I'm a bit sketchy on the details. We mitigated this on one server we have where it might have been an issue by simply disabling bash and sym linking sh to pdksh.
And, yeah, the article does seem a bit schizophrenic...
High traffic and high volume sites driven by CMSes, like newspapers, tv stations, etc., largely cannot rely on static files to deliver their content. Rather, they use caching layers for speed and security. There are two better ways to improve security for sites like these, which are highly targeted and poor candidates for static sites:
1) Use a headless CMS. WordPress on the backend that provides and API which is consumed by a Node app, for example.
2) Shift any user-facing dynamic feature off the CMS. Commenting, login, subscription management, etc., can be handled by purpose-built apps that tie into the CMS-driven site via Javascript, preserving the security and cacheability of the CMS.
That's not to say that it's impossible to drive a large-scale news site with static files. I believe CNN does exactly that with their in-house CMS. But no open-source CMS that generates static files is powerful enough to use in a newsroom context, or popular enough to gain traction.
It's simply a matter of inversion. Is the page generation and publication performed upon each change (by editors/authors/etc) or upon each access? Obviously, the former is much more efficient, even for frequent changes, and even across millions of data points. (Just ask Twitter).
Just because we don't really have common, enterprise-grade authoring tools for non-technical people that publish static sites anymore doesn't mean that it's not the better way.
There is a minimal difference between a webserver serving static pages and a caching server serving static content. When you get down to it caching is simply a more flexable approach to the classic (autoring tool) -> static webpage approach. In many ways the only difference is the authoring tool is a website not a stand alone program.
Caching is usually done on demand, though, not ahead of time. That means the dynamic portion is still launched by the request, which increases the probability of security flaws being exploited.
In other words, some fraction of the requests are responded to dynamically and then the result is cached. That dynamic nature can be exploited. Site search engines, etc, are also often (but not always) dynamic, server-generated results that have a greater likelihood of exploits via XSS, CSRF, SQL Injection, etc. Login forms almost always require server interaction and are great targets.
(I say "almost" because REST interactions might be stateless and thus login forms really just serve to generate an access token and verify that it's working; this is how Userify works, for instance. It's still theoretically more exploitable than pure static files, but it raises the bar quite a bit.)
I think problem is that current dynamic websites are sort of crippled already. Right now even simple shopping app requires UI based on HTML + web. Not a chance to use command line, some automated devices etc... In future we might see radically simplified protocols/webservices for more universal access.
I hear what you're saying, but it doesn't have to be so.
All of the web apps I make at work are all javascript in a page apps. But before I start doing any of that, I make a REST API. 100% of the interaction between javascript and the web server is REST.
There are many reasons for this, but a key one is that it allows easy command-line or programatic interaction. Much easier than with traditional, server generated web apps.
Same here. Increasingly products I work on do almost no server side templating; frontend templates call REST services that I can test with curl, postman, or other tools.
Not really, you can achieve this using a Rails (or rails-like thing like Play) very easily and use in their built CSRF, SSL, etc. but this type of design also makes it easy to build from scratch (which may lead you down the path of reinventing things).
SPA + restful endpoints makes it easy to pick a library centric approach vs. a framework approach but it certainly does not preclude you from using a framework.
I guess people who disable javascript don't get to use your site...but I don't really care about that segment of the population.
OTOH I'd say currently balance is heavily skewed to needless dynamism. You cannot get some trivial page without JS enabled and god only knows what's going on on the server.
I'd love to see how different people solve the highly dynamic plus static problem.
This usually boils down to the shopping cart and checkout example... you can always attack the checkout process as it is a unique, dynamic part of the process that no web store wishes to ever be unavailable.
How does one "go static" with web applications that by necessity involve interactions with datastores?
The idea is not that everything need to be static - some contents are by nature updated too fast, or too often, to be static. Still, there's lot of page that could be pre generated since the content of the datastore itself is not evolving a lot.
Most blog could use a static blog generator for example, with the comment being the only dynamic part - and a lot of cms page too ! Pre baking stuff is so much easier, faster, and cleaner.
True. My personal site is static (generated with Hakyll), and uses Disqus for comments (only because I haven't yet seen a simple, self-hosted alternative which has been battle-tested).
I work on a statically generated site in which the comment form simply feeds back into the generation workflow. It's certainly not 'battle tested', but it has the advantage that a) we get to own the comments rather than giving them to someone else b) everyone can partake in the discussion c) much less demand on the client when rendering
Many dynamic things can be accomplished client-side these days. I see no problem with that, as long as it degrades gracefully to some default fallback.
In other cases, it's probably best to have each stateful system as an isolated component. For example, having a dynamic checkout doesn't require the news section to be dynamic. In fact, if you can isolate components like your checkout, you may be able to have someone else manage it for you. For example, at a previous job we used FoxyCart to deal with online checkouts; we just embedded specially-crafted URLs into our pages (although those pages were still running in Drupal!).
There was a submission briefly on the front page here where someone was proclaiming security by not using c/c++ for projects, yet, they left their blog comments and site wide open for some idiots who have already tried to post silly comments with JS popups.
I guess maybe we need people to use static sites, like trainer wheels on bikes, until they become more security concious.
Security is additive: the more precautions you take, the more secure you'll be. Avoiding C/C++ when safer, higher-level languages could be used is one example. Escaping Web site comments is another. Doing both is best, but either on its own is still better than neither.
Becoming "security concious"[sic] doesn't mean outgrowing best practices. If Bruce Schneier used "password" as his password, he wouldn't avoid getting attacked just because he knew it was a bad practice. Likewise, understanding the tradeoffs between static and dynamic Web sites doesn't make someone's dynamic site secure.
As the article points out, even a locked-down, well-tuned dynamic site with CAPTCHA-protected registration forms is orders of magnitude easier to bring down with DDoS attacks, since dynamic sites must perform more work per request, eg. to render "Hello CaptchaFarmUser99999" at the top of the page. If they don't need to perform more work per request, since all pages are always fully cached, then you've just re-invented static sites :)
Startup idea, free for the taking: create a service that "ossifies" dynamic websites into static HTML.
(By ossify, I mean to take something dynamic and make it static).
For example, that WordPress site you commissioned for a movie 3 years ago? Its a huge liability, but you don't have to take it offline - just ossify it. No one is updating that blog anymore!
Under the hood, it would basically be a crawler, and the deliverable would be a zip file containing a 1-to-1, static copy of their website with all URLs still working. I suspect most folks here could whip up a shitty proof of concept in 48 hours.
If someone does this, email me! I have a couple of potential clients for you (I'm a former consultant, with lots of WordPress sites in my history).
--convert-links
After the download is complete, convert the links in the document
to make them suitable for local viewing. This affects not only the
visible hyperlinks, but any part of the document that links to
external content, such as embedded images, links to style sheets,
hyperlinks to non-HTML content, etc.
The links to files that have been downloaded by Wget will be
changed to refer to the file they point to as a relative link.
Example: if the downloaded file /foo/doc.html links to
/bar/img.gif, also downloaded, then the link in doc.html will
be modified to point to ../bar/img.gif. This kind of
transformation works reliably for arbitrary combinations of
directories.
This is already a product that exists many times over. Besides the aforementioned wget, I've recommended less technical users to SiteSucker, a Mac/iOS app.
I'd be happy to bill your clients to do it for them though!
Yes! It would be like the Wayback machine as a service, but with some key differences:
1) The intention is that you replace your dynamic site with the static copy, but your visitors are none the wiser. All URLs are the same, as well as the content returned. Might require some .htaccess trickery.
2) It would have to preserve all the images, css, and other assets, some possibly hotlinked. (The Wayback Machine is not awesome at this, understandably)
And there we have it. Security needs stability, stability decreases on a daily basis. We can't have that traditional kind of security. We need to move on to a more proactive way of thinking.
Static site is more secure only if the server is also up-to-date and setup properly to trim down all unnecessary options. Putting static site on a general purpose apache installation that will happily serve PHP and CGIs from user home dirs is not such a big security improvement.
Also, in times of SPAs, LocalStorage, WebRTC, Parse and FireBase you can sprinkle your static web-sites with some dynamic functionality, when needed...
I used Google Site Search (https://www.google.com/work/search/products/gss.html), which starts at $100 per year. Outsource all that infrastructure to a company who's good at it, park your static HTML on a CDN, and enjoy fast worldwide access with searchable content.
That's not the only option, but it's a boss-friendly company to name drop. Most organizations wouldn't blink at the price, especially if it means you can move off dynamic hosting to far cheaper static hosting.
A simple SQL query is not a great solution even for dynamic sites that pull content from SQL databases. You have to protect against SQL injection and you usually will want fulltext indices for all the text fields to be searched. It's also going to be slow in the naive implementation for databases of any significant size.
The better solution for both dynamic and static sites is to set up a search appliance like elasticsearch, solr, or algolia. You can use JS to query it and still be static on the server.
If you do set up your own, remember to use a reverse proxy like nginx to avoid exposing elasticsearch directly to the internet.
I'm going to say that the bigger problem in dynamic languages isn't that they are dynamic. It's that they have weak, nonexistant, or very undeveloped mechanisms for creating strong communication protocols that you can depend on as safe or reliable.
Take the classic case of SQL injection. You have string input into your system that turns into string input into a SQL query that turns into string input to a database. That is dangerous because if you don't check on what the input string contains, it might contain nothing, or a semicolon, or it might not be a string at all!
We understand that putting a string direct into a SQL statement is dangerous at this point, but we have yet to fix its root cause - nonexistant protocols or boundaries in most code we write.
What a static language changes in that regard is compiler checked type signatures on your code. That generally stops you from say passing an Integer into something that needs a String. That solves a certain class of problems for sure, and the complier does it for you every time you change your code, so there is a convenience there.
What static typing doesn't give you is actual data correctness. Things like buffer overflows or SQL injection can still happen with static typing. You could use a language like Scala or Haskell to have stronger/more complex types that would have more distinct notion of value correctness and at that point the complier would be doing most of the work to ensure your program is correct.
Leaning on a type system in that regard is basically turning your types into the protocols that determine correctness in your system.
It is also possible to lean on stronger protocols that check messages in a dynamic languages to achieve largely the same thing.
In the end, to write safe, high quality software, you need to define the communication protocols between methods/functions/routines/services and enforce them much as you would with an externally facing REST api.
The difference between a dynamic system with dynamic protocol checking vs a static system with compiler type checking is the mechanism you are using to enforce the protocol and how easy it is to interact with it.
Dynamic systems might be easier to interface with externally because you don't have to understand a complex type, just pass a Hash/Dictionary sort of like a JSON API, vs a static system where you need to use the right types and so on, similar to a SOAP/WSDL API.
Performance is also a consideration, but really when you compare static vs dynamic, it is important to understand that at the end of the day you can write Ruby/Python/PHP that is functionally equivalent to C/C++/Java. They are all ultimately going to be able to do the same kinds of things.
The tradeoff is in how they solve the problem and how well that fits with the team writing the software.
Did you read the article? It's about static vs. dynamic site generation. It mentions eval() in a passing, but it's not about dynamic vs. static typing.
[1] http://xkcd.com/327/