Re: Security - PHP Vs Java
- From: "Carl" <c.groner@xxxxxxxxx>
- Date: 2 Feb 2007 14:16:01 -0800
On Feb 2, 10:46 am, himilecycl...@xxxxxxxxx wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.
Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.
Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?
Many thanks!
Hello,
I'll mostly ignore the question regarding a migration to Java besides
these two thoughts:
- The comparison between security in Java and PHP is not a simple one,
and posting this question in only comp.lang.php is sure to give you
biased responses. Should you really want to pursue this topic, I
would, at the minimum, suggest you also post a question to a java
group (comp.lang.java.programmer perhaps?); if for no other reason to
see the other "side of the coin". I would imagine that posters there
may be more in touch with Java security features, seeing as how many
of them depend on this.
- Writing a secure, well written web applications in Java is no small
feat for a team with little or no Java experience. Not knowing your
project time-line & budget constraints I cannot comment on how
feasible this is for your situation.
That said, before setting off to promote and defend your php
application, since you mention you will be hosting this application,
you should learn in great detail the intricacies of securing web
applications. Auditing your code for PHP security best practices, as
mentioned in other posts in this thread, is essential, but only the
start. Remember that writing secure code does not by itself make an
application secure. Reading and following all PHP security advisories
is also essential, as well as ensuring that the web server and
database installations are secure and up to date. Should the data be
compromised through a webserver/database vulnerability, neither Java
or PHP could have saved you, but the security of your implementation
will have failed. Again avoiding the issue of whether PHP of Java is
more secure, It is currently possible to write a reasonably secure PHP
application. You are indeed fighting an uphill battle as early
versions of PHP, and the abundance of poorly written PHP scripts out
in the wild have given PHP a bad name in security conscious circles.
Hope that helps,
Carl.
.
- References:
- Security - PHP Vs Java
- From: himilecyclist
- Security - PHP Vs Java
- Prev by Date: Re: bidimensional array from query
- Next by Date: Re: Security - PHP Vs Java
- Previous by thread: Re: Security - PHP Vs Java
- Next by thread: Re: Security - PHP Vs Java
- Index(es):
Relevant Pages
|
