My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.
Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.
Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?
Many thanks!
15  10512 
..oO(hi******** ***@yahoo.com)
>We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
Improperly written Java classes cannot be trusted as well. Security is
not a language feature.
>My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.
Exactly. You can write secure PHP apps as well as insecure Java apps.
You always have to know what you're doing, in every language.
>Unfortunatel y, there appers to be quite a bias against PHP in our
organization , which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.
Just some general considerations:
* keep the PHP installation up-to-date
* turn off register_global s, magic quotes, short open tag
* set error_reporting to E_ALL while developing, turn off display_errors
on the production server and use a logfile instead
* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy
* use prepared statements for database operations (PDO for example)
* always use proper escaping, for example htmlspecialchar s() when
printing out data to an HTML page
* never show PHP- or DB-generated error messages, define your own error
messages or error pages if necessary
* ...
Micha
Michael Fesser wrote:
* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy
I hadn't heard that before.
What's that about? hi***********@y ahoo.com schreef:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
What where the reasons behind their advise? My concern is the following:
Why and how can a JVM be trusted more than a PHP runtime?
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
Basically, if your team switches to Java they'll make more mistakes
(because the lesser experience), and will thus deliver a less secure
application.
If there are future
security problems, we will really be in a bad position for having
stayed with it.
And what will happen if you switch to LanguageX on platformY? Who will
be responsible for the security problems then?
Does the oversight commitee really believe that it's the magic bullet?
If they truly stand behind their words, they'll gracefully accept the
offer to be considered responsible for eventual security problems if
anything goes wrong with the Java implementation.
--
Tim Van Wassenhove <url:http://www.timvw.be/>
On Feb 2, 10:46 am, himilecycl...@y ahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.
Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.
Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?
Many thanks!
Hello,
I'll mostly ignore the question regarding a migration to Java besides
these two thoughts:
- The comparison between security in Java and PHP is not a simple one,
and posting this question in only comp.lang.php is sure to give you
biased responses. Should you really want to pursue this topic, I
would, at the minimum, suggest you also post a question to a java
group (comp.lang.java .programmer perhaps?); if for no other reason to
see the other "side of the coin". I would imagine that posters there
may be more in touch with Java security features, seeing as how many
of them depend on this.
- Writing a secure, well written web applications in Java is no small
feat for a team with little or no Java experience. Not knowing your
project time-line & budget constraints I cannot comment on how
feasible this is for your situation.
That said, before setting off to promote and defend your php
application, since you mention you will be hosting this application,
you should learn in great detail the intricacies of securing web
applications. Auditing your code for PHP security best practices, as
mentioned in other posts in this thread, is essential, but only the
start. Remember that writing secure code does not by itself make an
application secure. Reading and following all PHP security advisories
is also essential, as well as ensuring that the web server and
database installations are secure and up to date. Should the data be
compromised through a webserver/database vulnerability, neither Java
or PHP could have saved you, but the security of your implementation
will have failed. Again avoiding the issue of whether PHP of Java is
more secure, It is currently possible to write a reasonably secure PHP
application. You are indeed fighting an uphill battle as early
versions of PHP, and the abundance of poorly written PHP scripts out
in the wild have given PHP a bad name in security conscious circles.
Hope that helps,
Carl. hi***********@y ahoo.com wrote:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I used to be a full time PHP programmer and now look after several Java
sites which should be highly secure (mostly they are).
The flavour of problems on the Java sites are quite different from what I
saw with PHP. Regarding security, certainly PHP exposes much more of the
outside world to the application, and if handled stupidly, you can
introduce bugs in your code. However, most professional PHP programmers
know how to avoid these things. To paraphrase Bjarne Stroustrup, it's more
a case of being able to shoot yourself in the foot rather than blowing
yourself up.
If you rely on a third party framework, it will almost inevitably be
open-source, and a relatively small amount of code. Therefore easy to audit
and manage.
Once you take away the dumb PHP stuff (like include($_GET['value'])...and I
can't think of anything else) all the things which can make a PHP
application insecure can also occur in Java applications: session
hijacking/fixation, cross site scripting attacks, SQL injection, Email
injection....Se e also http://www.owasp.org/index.php/Trust...22_language.3F
Switching to Java means other problems too. Firstly, instead of simply
sourcing a single third-party framework, you will find yourself working
with code from multiple different suppliers. Auditing the codebase is far
from practical. I wouldn't expect someone with less than about 4 years real
experience with developing Java applications to have a full understanding
of the development system. Performance management is a total PITA.
Coming from a PHP environment, I was frankly amazed at the amount of effort
involved in deploying releases and keeping the Java system up and running.
Newbies don't program in Java because of the horrendous learning curve even
getting as far as 'Hello World'.
Any idiot can program in PHP. The problem is that they frequently do. And
then publish their half-baked code on 'Hotscripts' or similar. After all,
if someone else wants to use it do they have to construct build files and
mount containers in the URL space?
For very large projects deployed on large clusters, built by large
development teams, Java has some advantages, particularly where there are
persistent interfaces to other systems. Java has better asynchronous
messaging out of the box, and more tools for stuff like profiling and CASE.
Java guys tend to jump on this - but I don't know anyone working on a
project of this kind. Certainly for small to mid-size projects (up to 1000
KLOC / 2 million hits / day) I'd say PHP has the productivity advantage.
And its not just me - see Tim Bray's slides here
( http://www.tbray.org/talks/php.de.pdf) (Tim Bray is Director of Web
Technologies for Sun). For another comparison of productivity in both
systems - have a look for Bruce Eckel - a former Java author / evangelist
who now advocates for Python, PHP and Ruby.
I'm very wary of acting on someone's 'opinion'; ask the oversight committee
to provide justification for its assertions also ask whether they will
provide funding for retraining developers, bringing in skilled java
developers from outside your team.
HTH
C.
Colin McKinnon wrote:
I'm very wary of acting on someone's 'opinion'; ask the oversight committee
to provide justification for its assertions also ask whether they will
provide funding for retraining developers, bringing in skilled java
developers from outside your team.
That right there is the big thing here.
Are their security concerns political, or technical.
You can get through either one - as long as you know which one
you're dealing with.
It may very well be that there is a techncal problem that
they're concerned about. But by the descirption, it looks like
the problem is political.
I don't envy you. Because when your employer hires a consultant
at 5x your pay to tell him something, he's gonna be loathe to
dismiss the advice. hi***********@y ahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.
Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.
Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?
Many thanks!
I started working with Java when version 1.0 was current - around 10
years ago. I've been working with PHP for about 4 years now, so I feel
competent on both.
As others have indicated, either can be secure or not secure. Perhaps
they are thinking Java is more secure because it's compiled into byte
code and PHP isn't. But if the website is properly configured, this
isn't a problem. The users won't be able to see the PHP code anyway.
And if it isn't secure, they'll be able to download the Java class files
- and from there it's a simple matter to decompile them anyway.
Otherwise, standard security procedures should be in place - like
validating *all* user input, including checkboxes/radio buttons, etc.
And you have the same precautions in both languages.
I also agree that you should stick with the language your team is more
familiar with. You'll have fewer mistakes. And if your team was more
familiar with Java, I would tell you from the little you've given us
that Java would be more appropriate.
However, there are a lot more things involved in choosing a language for
a project. And you should look into those, also.
But security is a programming issue, not a language one. It should not
be used as a criteria when writing web pages, IMHO.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
On Feb 2, 11:46 pm, himilecycl...@y ahoo.com wrote:
<snip>
Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?
FWIW, Of late, I have been hacking and lurcking RoR. And, I found
many Java programmers are moving to Ruby. So, moving to Java may not
be the right move.
I still find Ruby is more Perl than PHP.
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Paul |
last post by:
Hello,
I've been reading up on security in Java Applets and whilst I understand
the concept, I can't successfully get my applet to read a file on my local
machine.
I discovered from http://java.sun.com/sfaq/#read:
-----
Sun's appletviewer allows applets to read files that are named on the access
control list for reading. The access control list for reading is null by
default, in the JDK. You can allow applets to read directories or files...
|
by: Lorenzo |
last post by:
hi you all,
first of all apologies for having cross-posted this message but really
i did not know where to post it. please let me know what ng you
consider the most suitable for the described issue.
i wrote a program made by a client and a server that communicate via
RMI
premise 1) everything has been developed and executed on WinXP
Professional and the following jre
|
by: fabio |
last post by:
Hi, I'm writing a program for PPC and I use IBM's Websphere Device
Developper PPRO1.0 java VM. This vm is much smaller and simple than standard
vm as it has to run on small devices as handhelds. And lot of java standard
base classes are not present. I needed package java.nio.* to run stax (a xml
utility) so I copied-pasted from rt.jar the package java.nio.* and imported
it in the classpath of my project. But when I ran my class I got this...
|
by: Angelos Karantzalis |
last post by:
Is there a way to set Permissions based on user roles by using some
configuration file for my application ?
I'm coming from a Java background, where that could very easily be
accomplished but although I've searched around MSDN I can't find a clear
answer to this ...
Thanks a lot guys,
Angel
|
by: Mario |
last post by:
I've been reading some Sun Java articles where they say
Applets cannot import dlls and cannot write to disk.
(This does NOT apply to applications, only to Applets.)
Supposedly, this is NOT something you can cotrol with a
security manager or in any other way. The dll exclussion
is due to the fact that the virtual machine cannot
control what a dll is doing, perhaps writting malicious
stuff to disk among other things. Is it true that...
| | |
by: Marina |
last post by:
Hi,
I am trying to find the minimum security settings to allow a windows control
embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However, this is
very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.
|
by: WebServiceSecurity |
last post by:
The issue involves the following technologies: -
1. .NET 2.0 Framework
2. WSE2.0 (WS-Security)
3. X.509 certificates
4. BEA Weblogic 8.1.5
|
by: Baheri |
last post by:
If I use WSE3.0 security to authenticate my user does the client need to
install WSE3.0 or any other installation? Does he need to use the WSE API to
send requestes to my service?How does a Java client running on a UNIX machine
achive this? If we need a client side installation or dependency on an WSE
3.0 API.
|
by: mr man |
last post by:
I try to play runescape and this came up......this comes up with all java
java.security.PrivilegedActionException: java.io.FileNotFoundException: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\security\auth.dat (Access is denied)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.CredentialManager$CredentialPersistor.openInputStream(Unknown Source)
at...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
