Is PHP secure then ASP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
james_p
Forum Newbie
Posts: 18
Joined: Sat Apr 23, 2005 11:00 pm

Is PHP secure then ASP

Post by james_p »

Hi every one Im web master of http://www.topcreators.com . I have a client for whom im developing a shopping web site. I just want to know your suggestions which is the most secure language PHP or ASP my client is realy worried because of security reasons. please guide me with some examples.

Thanks!!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Well, this has been debated ever since the beginning of time.
I would probably have to say PHP because it is updated a lot more frequently with bug fixes than ASP. But really, it comes down to the coder. I would suggest reading up on a lot of security sources.

:arrow: http://php.net/security has a lot of good sources. Enjoy.
james_p
Forum Newbie
Posts: 18
Joined: Sat Apr 23, 2005 11:00 pm

thank you very much!!

Post by james_p »

Jcart wrote:Well, this has been debated ever since the beginning of time.
I would probably have to say PHP because it is updated a lot more frequently with bug fixes than ASP. But really, it comes down to the coder. I would suggest reading up on a lot of security sources.

:arrow: http://php.net/security has a lot of good sources. Enjoy.
sure I will read it right now. please suggest me some other web site where i a can find more on this topic.

Thanks!!
User avatar
hanji
Forum Commoner
Posts: 46
Joined: Fri Apr 29, 2005 3:23 pm

Post by hanji »

There also other considerations to think of. I would say that you can do WAY more damage with ASP/SQLServer websites in accordance with SQL-Injection attacks than you would with PHP/MySQL. When I'm saying ASP, I'm talking about standard ASP not ASP.NET.

SQLInjection attacks against SQLServer can lead to complete server ownership, data mining (extracting all data from the database). Bear in mind that SQLInjection can happen with PHP/MySQL but you are limited to a certain extent. For instance, SQL Server uses the sysobjects table where a tool like (Absinthe [blind sql injection tool] http://www.0x90.org/releases/absinthe/ to extract all data from the database. MySQL does not have sysobjects 'like' table so this is much harder to pull this information. Also SQLServer uses dangerous stored procedures that are installed by default, such as xp_cmdshell, where a command can be crafted through the URL and injected in the SQL to shutdown the server, upload files, etc.. basically leading to complete compromise. SQLInjection can be avoided by proper coding.

In my experience I've seen a lot of vulnerable ASP applications.. usually due to poor programming and poor server management. If you code securely and maintain the server.. both of the languages can be quite secure.

Another point, as far as I know.. ASP doesn't have the flexibility to maintain control of it's functions/files (again referring to ASP not ASP.NET). I like the ability to manipulate the php.ini file or adjust settings in vhost server file to restrict PHP in my environment. Also the ability to add safe mode and open_base_dir restrictions are a plus.

Here are some features I implement:
safe_mode http://us2.php.net/features.safe-mode
open_base_dir limits the user to specific directories, prevents badguys from accessing other files
safe_mode_exec_dir restricts what directories and their programs can be executed
disable_functions I like to disable functions like exec, shell_cmd, etc

I hope this helps.
I didn't intend to upset any ASP coders out there.. Like I said.. it comes down to coding practices.

hanji
Post Reply