By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,571 Members | 994 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,571 IT Pros & Developers. It's quick & easy.

Security - PHP Vs Java

P: n/a
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.

We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.

Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.

Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?

Many thanks!

Feb 2 '07 #1
Share this Question
Share on Google+
15 Replies


P: n/a
..oO(hi***********@yahoo.com)
>We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
Improperly written Java classes cannot be trusted as well. Security is
not a language feature.
>My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.
Exactly. You can write secure PHP apps as well as insecure Java apps.
You always have to know what you're doing, in every language.
>Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.
Just some general considerations:

* keep the PHP installation up-to-date
* turn off register_globals, magic quotes, short open tag
* set error_reporting to E_ALL while developing, turn off display_errors
on the production server and use a logfile instead
* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy
* use prepared statements for database operations (PDO for example)
* always use proper escaping, for example htmlspecialchars() when
printing out data to an HTML page
* never show PHP- or DB-generated error messages, define your own error
messages or error pages if necessary
* ...

Micha
Feb 2 '07 #2

P: n/a
Michael Fesser wrote:
* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy
I hadn't heard that before.
What's that about?
Feb 2 '07 #3

P: n/a
hi***********@yahoo.com schreef:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
What where the reasons behind their advise? My concern is the following:
Why and how can a JVM be trusted more than a PHP runtime?
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
Basically, if your team switches to Java they'll make more mistakes
(because the lesser experience), and will thus deliver a less secure
application.
If there are future
security problems, we will really be in a bad position for having
stayed with it.
And what will happen if you switch to LanguageX on platformY? Who will
be responsible for the security problems then?

Does the oversight commitee really believe that it's the magic bullet?
If they truly stand behind their words, they'll gracefully accept the
offer to be considered responsible for eventual security problems if
anything goes wrong with the Java implementation.

--
Tim Van Wassenhove <url:http://www.timvw.be/>
Feb 2 '07 #4

P: n/a
On Feb 2, 10:46 am, himilecycl...@yahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.

We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.

Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.

Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?

Many thanks!
Hello,

I'll mostly ignore the question regarding a migration to Java besides
these two thoughts:
- The comparison between security in Java and PHP is not a simple one,
and posting this question in only comp.lang.php is sure to give you
biased responses. Should you really want to pursue this topic, I
would, at the minimum, suggest you also post a question to a java
group (comp.lang.java.programmer perhaps?); if for no other reason to
see the other "side of the coin". I would imagine that posters there
may be more in touch with Java security features, seeing as how many
of them depend on this.
- Writing a secure, well written web applications in Java is no small
feat for a team with little or no Java experience. Not knowing your
project time-line & budget constraints I cannot comment on how
feasible this is for your situation.
That said, before setting off to promote and defend your php
application, since you mention you will be hosting this application,
you should learn in great detail the intricacies of securing web
applications. Auditing your code for PHP security best practices, as
mentioned in other posts in this thread, is essential, but only the
start. Remember that writing secure code does not by itself make an
application secure. Reading and following all PHP security advisories
is also essential, as well as ensuring that the web server and
database installations are secure and up to date. Should the data be
compromised through a webserver/database vulnerability, neither Java
or PHP could have saved you, but the security of your implementation
will have failed. Again avoiding the issue of whether PHP of Java is
more secure, It is currently possible to write a reasonably secure PHP
application. You are indeed fighting an uphill battle as early
versions of PHP, and the abundance of poorly written PHP scripts out
in the wild have given PHP a bad name in security conscious circles.

Hope that helps,
Carl.

Feb 2 '07 #5

P: n/a
hi***********@yahoo.com wrote:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I used to be a full time PHP programmer and now look after several Java
sites which should be highly secure (mostly they are).

The flavour of problems on the Java sites are quite different from what I
saw with PHP. Regarding security, certainly PHP exposes much more of the
outside world to the application, and if handled stupidly, you can
introduce bugs in your code. However, most professional PHP programmers
know how to avoid these things. To paraphrase Bjarne Stroustrup, it's more
a case of being able to shoot yourself in the foot rather than blowing
yourself up.

If you rely on a third party framework, it will almost inevitably be
open-source, and a relatively small amount of code. Therefore easy to audit
and manage.

Once you take away the dumb PHP stuff (like include($_GET['value'])...and I
can't think of anything else) all the things which can make a PHP
application insecure can also occur in Java applications: session
hijacking/fixation, cross site scripting attacks, SQL injection, Email
injection....See also
http://www.owasp.org/index.php/Trust...22_language.3F

Switching to Java means other problems too. Firstly, instead of simply
sourcing a single third-party framework, you will find yourself working
with code from multiple different suppliers. Auditing the codebase is far
from practical. I wouldn't expect someone with less than about 4 years real
experience with developing Java applications to have a full understanding
of the development system. Performance management is a total PITA.

Coming from a PHP environment, I was frankly amazed at the amount of effort
involved in deploying releases and keeping the Java system up and running.

Newbies don't program in Java because of the horrendous learning curve even
getting as far as 'Hello World'.

Any idiot can program in PHP. The problem is that they frequently do. And
then publish their half-baked code on 'Hotscripts' or similar. After all,
if someone else wants to use it do they have to construct build files and
mount containers in the URL space?

For very large projects deployed on large clusters, built by large
development teams, Java has some advantages, particularly where there are
persistent interfaces to other systems. Java has better asynchronous
messaging out of the box, and more tools for stuff like profiling and CASE.
Java guys tend to jump on this - but I don't know anyone working on a
project of this kind. Certainly for small to mid-size projects (up to 1000
KLOC / 2 million hits / day) I'd say PHP has the productivity advantage.
And its not just me - see Tim Bray's slides here
(http://www.tbray.org/talks/php.de.pdf) (Tim Bray is Director of Web
Technologies for Sun). For another comparison of productivity in both
systems - have a look for Bruce Eckel - a former Java author / evangelist
who now advocates for Python, PHP and Ruby.

I'm very wary of acting on someone's 'opinion'; ask the oversight committee
to provide justification for its assertions also ask whether they will
provide funding for retraining developers, bringing in skilled java
developers from outside your team.

HTH

C.
Feb 2 '07 #6

P: n/a
Colin McKinnon wrote:
I'm very wary of acting on someone's 'opinion'; ask the oversight committee
to provide justification for its assertions also ask whether they will
provide funding for retraining developers, bringing in skilled java
developers from outside your team.
That right there is the big thing here.
Are their security concerns political, or technical.

You can get through either one - as long as you know which one
you're dealing with.

It may very well be that there is a techncal problem that
they're concerned about. But by the descirption, it looks like
the problem is political.

I don't envy you. Because when your employer hires a consultant
at 5x your pay to tell him something, he's gonna be loathe to
dismiss the advice.
Feb 2 '07 #7

P: n/a
..oO(Sanders Kaufman)
>Michael Fesser wrote:
>* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy

I hadn't heard that before.
What's that about?
XLI. Filter Functions
http://www.php.net/manual/en/ref.filter.php

PHP Built in Input filtering
http://devzone.zend.com/node/view/id/1113

Micha
Feb 3 '07 #8

P: n/a
hi***********@yahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.

We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.

Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.

Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?

Many thanks!
I started working with Java when version 1.0 was current - around 10
years ago. I've been working with PHP for about 4 years now, so I feel
competent on both.

As others have indicated, either can be secure or not secure. Perhaps
they are thinking Java is more secure because it's compiled into byte
code and PHP isn't. But if the website is properly configured, this
isn't a problem. The users won't be able to see the PHP code anyway.
And if it isn't secure, they'll be able to download the Java class files
- and from there it's a simple matter to decompile them anyway.

Otherwise, standard security procedures should be in place - like
validating *all* user input, including checkboxes/radio buttons, etc.
And you have the same precautions in both languages.

I also agree that you should stick with the language your team is more
familiar with. You'll have fewer mistakes. And if your team was more
familiar with Java, I would tell you from the little you've given us
that Java would be more appropriate.

However, there are a lot more things involved in choosing a language for
a project. And you should look into those, also.

But security is a programming issue, not a language one. It should not
be used as a criteria when writing web pages, IMHO.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 3 '07 #9

P: n/a
On Feb 2, 11:46 pm, himilecycl...@yahoo.com wrote:
<snip>
Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?
FWIW, Of late, I have been hacking and lurcking RoR. And, I found
many Java programmers are moving to Ruby. So, moving to Java may not
be the right move.

I still find Ruby is more Perl than PHP.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Feb 4 '07 #10

P: n/a
himilecyclist wrote:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
For the most part, security problems are not introduced by the programming
language, but by the programmers.

Writing a secure application requires someone who is an expert in that
particular programming language, and who is preferably more than a teensy
bit paranoid.

If your programmers are new to Java, they will not be able to write secure
Java code. End of story. (Whatsmore, the training budget will go through
the roof and the project will take at least three times as long to develop.)

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/CSS/Javascript/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Feb 4 '07 #11

P: n/a
hi***********@yahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
Complexity is perhaps more relevant the security.
Php (I haven't learned ruby/rails yet, but I hear good things)
is at its best for rapid client side development: for making pages
and forms exposed to the users. Get the O'Reilly php security book.
Java is better suited to complex data handling
and business logic processing on the server.

So one way to marry the two is to put an xmlrpc server in
front of the back-end data processing stuff, and then rapidly develop
user interface forms with php, that post to the xmlrpc server.

Feb 4 '07 #12

P: n/a
Thanks for all the great advice and info! We are working on
presenting the case for PHP now.

Could anyone point us to a list of sites (eCommerce, government, etc)
that use PHP and perhaps MySQL in an application involving highly
sensitive data? I'm sure there are a great many of these, but a list
of very well known sites or corporations would be useful.

Thanks again!

Feb 6 '07 #13

P: n/a
himilecyclist wrote:
Could anyone point us to a list of sites (eCommerce, government, etc)
that use PHP and perhaps MySQL in an application involving highly
sensitive data?
Yahoo are the classic example of a big site powered by PHP. Although
search engine data is hardly "highly sensitive", some of their other
service require a higher level of privacy -- e.g. Yahoo Mail.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/CSS/Javascript/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Feb 6 '07 #14

P: n/a
himilecyclist asked...
: Could anyone point us to a list of sites (eCommerce, government,
: etc) that use PHP and perhaps MySQL in an application involving
: highly sensitive data?

"Toby A Inkster" answered...
: Yahoo are the classic example of a big site powered by PHP.
: Although search engine data is hardly "highly sensitive", some of
: their other service require a higher level of privacy -- e.g. Yahoo
: Mail.

To go along with that, sourceforge.net gets run on Apache and
PHP and MySQL. They advertise over 20,000 subdomains in
current operations (VHOST's).

They seem to run on Apache 1.3x. Unsure about the PHP version.

--
Jim Carlock
Post replies to the group.
Feb 7 '07 #15

P: n/a
Rik
Jim Carlock <an*******@127.0.0.1wrote:
himilecyclist asked...
: Could anyone point us to a list of sites (eCommerce, government,
: etc) that use PHP and perhaps MySQL in an application involving
: highly sensitive data?

"Toby A Inkster" answered...
: Yahoo are the classic example of a big site powered by PHP.
: Although search engine data is hardly "highly sensitive", some of
: their other service require a higher level of privacy -- e.g. Yahoo
: Mail.

To go along with that, sourceforge.net gets run on Apache and
PHP and MySQL. They advertise over 20,000 subdomains in
current operations (VHOST's).

They seem to run on Apache 1.3x. Unsure about the PHP version.
X-Powered-By: PHP/5.2.0
Server: lighttpd/1.4.13

Then again, who trusts headers? Users can fake headers, servers can too :P
--
Rik Wasmus
Feb 7 '07 #16

This discussion thread is closed

Replies have been disabled for this discussion.