473,287 Members | 1,800 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,287 software developers and data experts.

Security - PHP Vs Java

My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.

We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.

Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.

Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?

Many thanks!

Feb 2 '07 #1
15 10457
..oO(hi***********@yahoo.com)
>We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
Improperly written Java classes cannot be trusted as well. Security is
not a language feature.
>My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.
Exactly. You can write secure PHP apps as well as insecure Java apps.
You always have to know what you're doing, in every language.
>Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.
Just some general considerations:

* keep the PHP installation up-to-date
* turn off register_globals, magic quotes, short open tag
* set error_reporting to E_ALL while developing, turn off display_errors
on the production server and use a logfile instead
* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy
* use prepared statements for database operations (PDO for example)
* always use proper escaping, for example htmlspecialchars() when
printing out data to an HTML page
* never show PHP- or DB-generated error messages, define your own error
messages or error pages if necessary
* ...

Micha
Feb 2 '07 #2
Michael Fesser wrote:
* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy
I hadn't heard that before.
What's that about?
Feb 2 '07 #3
hi***********@yahoo.com schreef:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
What where the reasons behind their advise? My concern is the following:
Why and how can a JVM be trusted more than a PHP runtime?
My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
Basically, if your team switches to Java they'll make more mistakes
(because the lesser experience), and will thus deliver a less secure
application.
If there are future
security problems, we will really be in a bad position for having
stayed with it.
And what will happen if you switch to LanguageX on platformY? Who will
be responsible for the security problems then?

Does the oversight commitee really believe that it's the magic bullet?
If they truly stand behind their words, they'll gracefully accept the
offer to be considered responsible for eventual security problems if
anything goes wrong with the Java implementation.

--
Tim Van Wassenhove <url:http://www.timvw.be/>
Feb 2 '07 #4
On Feb 2, 10:46 am, himilecycl...@yahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.

We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.

Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.

Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?

Many thanks!
Hello,

I'll mostly ignore the question regarding a migration to Java besides
these two thoughts:
- The comparison between security in Java and PHP is not a simple one,
and posting this question in only comp.lang.php is sure to give you
biased responses. Should you really want to pursue this topic, I
would, at the minimum, suggest you also post a question to a java
group (comp.lang.java.programmer perhaps?); if for no other reason to
see the other "side of the coin". I would imagine that posters there
may be more in touch with Java security features, seeing as how many
of them depend on this.
- Writing a secure, well written web applications in Java is no small
feat for a team with little or no Java experience. Not knowing your
project time-line & budget constraints I cannot comment on how
feasible this is for your situation.
That said, before setting off to promote and defend your php
application, since you mention you will be hosting this application,
you should learn in great detail the intricacies of securing web
applications. Auditing your code for PHP security best practices, as
mentioned in other posts in this thread, is essential, but only the
start. Remember that writing secure code does not by itself make an
application secure. Reading and following all PHP security advisories
is also essential, as well as ensuring that the web server and
database installations are secure and up to date. Should the data be
compromised through a webserver/database vulnerability, neither Java
or PHP could have saved you, but the security of your implementation
will have failed. Again avoiding the issue of whether PHP of Java is
more secure, It is currently possible to write a reasonably secure PHP
application. You are indeed fighting an uphill battle as early
versions of PHP, and the abundance of poorly written PHP scripts out
in the wild have given PHP a bad name in security conscious circles.

Hope that helps,
Carl.

Feb 2 '07 #5
hi***********@yahoo.com wrote:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.
I used to be a full time PHP programmer and now look after several Java
sites which should be highly secure (mostly they are).

The flavour of problems on the Java sites are quite different from what I
saw with PHP. Regarding security, certainly PHP exposes much more of the
outside world to the application, and if handled stupidly, you can
introduce bugs in your code. However, most professional PHP programmers
know how to avoid these things. To paraphrase Bjarne Stroustrup, it's more
a case of being able to shoot yourself in the foot rather than blowing
yourself up.

If you rely on a third party framework, it will almost inevitably be
open-source, and a relatively small amount of code. Therefore easy to audit
and manage.

Once you take away the dumb PHP stuff (like include($_GET['value'])...and I
can't think of anything else) all the things which can make a PHP
application insecure can also occur in Java applications: session
hijacking/fixation, cross site scripting attacks, SQL injection, Email
injection....See also
http://www.owasp.org/index.php/Trust...22_language.3F

Switching to Java means other problems too. Firstly, instead of simply
sourcing a single third-party framework, you will find yourself working
with code from multiple different suppliers. Auditing the codebase is far
from practical. I wouldn't expect someone with less than about 4 years real
experience with developing Java applications to have a full understanding
of the development system. Performance management is a total PITA.

Coming from a PHP environment, I was frankly amazed at the amount of effort
involved in deploying releases and keeping the Java system up and running.

Newbies don't program in Java because of the horrendous learning curve even
getting as far as 'Hello World'.

Any idiot can program in PHP. The problem is that they frequently do. And
then publish their half-baked code on 'Hotscripts' or similar. After all,
if someone else wants to use it do they have to construct build files and
mount containers in the URL space?

For very large projects deployed on large clusters, built by large
development teams, Java has some advantages, particularly where there are
persistent interfaces to other systems. Java has better asynchronous
messaging out of the box, and more tools for stuff like profiling and CASE.
Java guys tend to jump on this - but I don't know anyone working on a
project of this kind. Certainly for small to mid-size projects (up to 1000
KLOC / 2 million hits / day) I'd say PHP has the productivity advantage.
And its not just me - see Tim Bray's slides here
(http://www.tbray.org/talks/php.de.pdf) (Tim Bray is Director of Web
Technologies for Sun). For another comparison of productivity in both
systems - have a look for Bruce Eckel - a former Java author / evangelist
who now advocates for Python, PHP and Ruby.

I'm very wary of acting on someone's 'opinion'; ask the oversight committee
to provide justification for its assertions also ask whether they will
provide funding for retraining developers, bringing in skilled java
developers from outside your team.

HTH

C.
Feb 2 '07 #6
Colin McKinnon wrote:
I'm very wary of acting on someone's 'opinion'; ask the oversight committee
to provide justification for its assertions also ask whether they will
provide funding for retraining developers, bringing in skilled java
developers from outside your team.
That right there is the big thing here.
Are their security concerns political, or technical.

You can get through either one - as long as you know which one
you're dealing with.

It may very well be that there is a techncal problem that
they're concerned about. But by the descirption, it looks like
the problem is political.

I don't envy you. Because when your employer hires a consultant
at 5x your pay to tell him something, he's gonna be loathe to
dismiss the advice.
Feb 2 '07 #7
..oO(Sanders Kaufman)
>Michael Fesser wrote:
>* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy

I hadn't heard that before.
What's that about?
XLI. Filter Functions
http://www.php.net/manual/en/ref.filter.php

PHP Built in Input filtering
http://devzone.zend.com/node/view/id/1113

Micha
Feb 3 '07 #8
hi***********@yahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.

We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.

My team have become fairly adept PHP programmers, but we know little
about security and other technical issues. None of us are familiar
with Java, and due to time constraints, we are very reluctant to make
such a drastic switch.

I have done some brief reading regarding PHP security and it looks
like a lot of steps can be taken to increase the security level.

Unfortunately, there appers to be quite a bias against PHP in our
organization, which will be responsible for hosting the application.
We will definitely be fighting an uphill battle, and are concerned
that even if we are able to stay with PHP, if there are future
security problems, we will really be in a bad position for having
stayed with it.

Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?

Many thanks!
I started working with Java when version 1.0 was current - around 10
years ago. I've been working with PHP for about 4 years now, so I feel
competent on both.

As others have indicated, either can be secure or not secure. Perhaps
they are thinking Java is more secure because it's compiled into byte
code and PHP isn't. But if the website is properly configured, this
isn't a problem. The users won't be able to see the PHP code anyway.
And if it isn't secure, they'll be able to download the Java class files
- and from there it's a simple matter to decompile them anyway.

Otherwise, standard security procedures should be in place - like
validating *all* user input, including checkboxes/radio buttons, etc.
And you have the same precautions in both languages.

I also agree that you should stick with the language your team is more
familiar with. You'll have fewer mistakes. And if your team was more
familiar with Java, I would tell you from the little you've given us
that Java would be more appropriate.

However, there are a lot more things involved in choosing a language for
a project. And you should look into those, also.

But security is a programming issue, not a language one. It should not
be used as a criteria when writing web pages, IMHO.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 3 '07 #9
On Feb 2, 11:46 pm, himilecycl...@yahoo.com wrote:
<snip>
Any thoughts regarding this issue would be greatly appreciated. Is
Java inherently much more secure than PHP? If my team of 3 PHP
programmers were to make the switch to Java, about which we know
nothing, how much time would that add to the development of a mid-
sized application (realizing that that is a very general question)?
FWIW, Of late, I have been hacking and lurcking RoR. And, I found
many Java programmers are moving to Ruby. So, moving to Java may not
be the right move.

I still find Ruby is more Perl than PHP.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Feb 4 '07 #10
himilecyclist wrote:
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to handle the security of the data adequately.
For the most part, security problems are not introduced by the programming
language, but by the programmers.

Writing a secure application requires someone who is an expert in that
particular programming language, and who is preferably more than a teensy
bit paranoid.

If your programmers are new to Java, they will not be able to write secure
Java code. End of story. (Whatsmore, the training budget will go through
the roof and the project will take at least three times as long to develop.)

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/CSS/Javascript/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Feb 4 '07 #11
hi***********@yahoo.com wrote:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
Complexity is perhaps more relevant the security.
Php (I haven't learned ruby/rails yet, but I hear good things)
is at its best for rapid client side development: for making pages
and forms exposed to the users. Get the O'Reilly php security book.
Java is better suited to complex data handling
and business logic processing on the server.

So one way to marry the two is to put an xmlrpc server in
front of the back-end data processing stuff, and then rapidly develop
user interface forms with php, that post to the xmlrpc server.

Feb 4 '07 #12
Thanks for all the great advice and info! We are working on
presenting the case for PHP now.

Could anyone point us to a list of sites (eCommerce, government, etc)
that use PHP and perhaps MySQL in an application involving highly
sensitive data? I'm sure there are a great many of these, but a list
of very well known sites or corporations would be useful.

Thanks again!

Feb 6 '07 #13
himilecyclist wrote:
Could anyone point us to a list of sites (eCommerce, government, etc)
that use PHP and perhaps MySQL in an application involving highly
sensitive data?
Yahoo are the classic example of a big site powered by PHP. Although
search engine data is hardly "highly sensitive", some of their other
service require a higher level of privacy -- e.g. Yahoo Mail.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/CSS/Javascript/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Feb 6 '07 #14
himilecyclist asked...
: Could anyone point us to a list of sites (eCommerce, government,
: etc) that use PHP and perhaps MySQL in an application involving
: highly sensitive data?

"Toby A Inkster" answered...
: Yahoo are the classic example of a big site powered by PHP.
: Although search engine data is hardly "highly sensitive", some of
: their other service require a higher level of privacy -- e.g. Yahoo
: Mail.

To go along with that, sourceforge.net gets run on Apache and
PHP and MySQL. They advertise over 20,000 subdomains in
current operations (VHOST's).

They seem to run on Apache 1.3x. Unsure about the PHP version.

--
Jim Carlock
Post replies to the group.
Feb 7 '07 #15
Rik
Jim Carlock <an*******@127.0.0.1wrote:
himilecyclist asked...
: Could anyone point us to a list of sites (eCommerce, government,
: etc) that use PHP and perhaps MySQL in an application involving
: highly sensitive data?

"Toby A Inkster" answered...
: Yahoo are the classic example of a big site powered by PHP.
: Although search engine data is hardly "highly sensitive", some of
: their other service require a higher level of privacy -- e.g. Yahoo
: Mail.

To go along with that, sourceforge.net gets run on Apache and
PHP and MySQL. They advertise over 20,000 subdomains in
current operations (VHOST's).

They seem to run on Apache 1.3x. Unsure about the PHP version.
X-Powered-By: PHP/5.2.0
Server: lighttpd/1.4.13

Then again, who trusts headers? Users can fake headers, servers can too :P
--
Rik Wasmus
Feb 7 '07 #16

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
by: Paul | last post by:
Hello, I've been reading up on security in Java Applets and whilst I understand the concept, I can't successfully get my applet to read a file on my local machine. I discovered from...
4
by: Lorenzo | last post by:
hi you all, first of all apologies for having cross-posted this message but really i did not know where to post it. please let me know what ng you consider the most suitable for the described...
0
by: fabio | last post by:
Hi, I'm writing a program for PPC and I use IBM's Websphere Device Developper PPRO1.0 java VM. This vm is much smaller and simple than standard vm as it has to run on small devices as handhelds....
12
by: Angelos Karantzalis | last post by:
Is there a way to set Permissions based on user roles by using some configuration file for my application ? I'm coming from a Java background, where that could very easily be accomplished but...
7
by: Mario | last post by:
I've been reading some Sun Java articles where they say Applets cannot import dlls and cannot write to disk. (This does NOT apply to applications, only to Applets.) Supposedly, this is NOT...
16
by: Marina | last post by:
Hi, I am trying to find the minimum security settings to allow a windows control embedded in IE have full trust. If I give the entire Intranet zone full trust, this works. However, this is...
1
by: WebServiceSecurity | last post by:
The issue involves the following technologies: - 1. .NET 2.0 Framework 2. WSE2.0 (WS-Security) 3. X.509 certificates 4. BEA Weblogic 8.1.5
2
by: Baheri | last post by:
If I use WSE3.0 security to authenticate my user does the client need to install WSE3.0 or any other installation? Does he need to use the WSE API to send requestes to my service?How does a Java...
0
by: mr man | last post by:
I try to play runescape and this came up......this comes up with all java java.security.PrivilegedActionException: java.io.FileNotFoundException: C:\Documents and Settings\HP_Owner\Application...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.