is PHP less secure than Perl, Python, or Ruby?

walterbyrd schrieb:

I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure. I don't usually see comparisons to other
common web languages.

I think the big vulnerablity is supposed to be code injections.

Another security issue would be having code stolen, but I think that
PHP can be protected from that.

Obviously, I don't know a lot about it.

Well, it is pretty easy to write insecure php applications. And other
way round it is possible to write good and secure code in php. So you
can't say php is insecure in general, but you need some experience to
recocgnize all the possible vulnerabilities.

On Tue, 27 Feb 2007 07:30:18 -0800, walterbyrd wrote:

I honestly don't know. But, I have seen articles and posts about how PHP
is terribly insecure. I don't usually see comparisons to other common
web languages.

Everything is only as secure as you make it.

I think the big vulnerablity is supposed to be code injections.

I'm not sure how you would go about injecting code into a server-side
language.

Another security issue would be having code stolen, but I think that PHP
can be protected from that.

None of the PHP code is ever sent to the browser... only the result of the
code running.

walterbyrd wrote:

I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure. I don't usually see comparisons to other
common web languages.

I think the big vulnerablity is supposed to be code injections.

Another security issue would be having code stolen, but I think that
PHP can be protected from that.

Obviously, I don't know a lot about it.

Walter,

As Mike says, it's only as secure as you write it. To elaborate a
little more:

Security is not really a language issue - any language can be insecure,
even a compiled one such as C/C++. And any language can be secure.

All scripting languages tend to be less secure only because the source
code is there to see. Anyone with physical access to the server
physically or through non-web routes such as telnet/ssh or ftp can get
that source code (this includes hosting companies). Sure, they can get
a compiled code also - but that takes a lot more work to figure out
what's going on.

The only "secret" to security is the same in all languages. Understand
the language. Understand the vulnerabilities (such as SQL injection - a
potential problem in ANY language when you're using a SQL database).
And understand how to secure your code against those vulnerabilities.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

..oO(walterbyrd)

>I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure. I don't usually see comparisons to other
common web languages.

You can write insecure and vulnerable code in every language.
A tool is just as good as the one who uses it.

>I think the big vulnerablity is supposed to be code injections.

There are many different kinds of injections (code, SQL, mail headers,
XSS ...). Some languages may have their own ways to handle some of them
(tainted variables, prepared statements ...), in others you have to make
your hands more dirty, but you always have to take them into account in
every language used for server-side programming.

>Another security issue would be having code stolen, but I think that
PHP can be protected from that.

PHP is executed on the server. If someone is able to get the code then
you have another _real_ problem.

Micha

walterbyrd wrote:

I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure.

PHP is not inherently insecure, but because it's very easy to write PHP,
it has become rather a popular language amongst people with little, if
any, formal training on how to program. Because of this, there are an
awful lot of badly written PHP scripts out there; installing them may well
open up your server to abuse.

Most security issues (in *any* language) arise from a failure to properly
check user input. Programmers make assumptions that a particular bit of
submitted input doesn't, say, contain an apostrophe and then they feed it
into a database. If a user accidentally enters an apostrophe where they
shouldn't, this may cause an error trying to insert the data into the
database. If the user *deliberately* enters an apostrophe, and then some
other specially crafted input, then they may be able to do malicious
things.

Most security issues arise from programmers making assumptions when they
shouldn't. If you always check and double-check every variable before
doing anything critical with it, then you've solved 9% of security issues
right there. (90% of security issues are caused by users who choose easy
passwords, or write their passwords on their forehead so that they can
remember it. The other 1% are "miscellaneous".)

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!