I think there is a procedure in PHP to make sure that the input would not be parsed as PHP script.The same thing which is used to prevent SQL injection
Many open source project have similar software. If you want to develop something new, it must clear what is your advantage, otherwise it is better if you join the other open source project and contribute there.About your virtual desktop, I don't really get it. Why do we need virtual desktop?It is the same like linux file access policy, right??
It is depend on the problem you try to solveJSP offer complex and more secure technology, while PHP offers fast solution.If you need complex remote procedure call, you need JSP, but if you only need simple message and data delivery, PHP is for you
Decompiler can only generate the source. He/she can get the source of the applets, but cannot upload the new hacked applet to your server (unless he/she has access to your server ).