Page 1 of 1

Is PHP secure then ASP

Posted: Wed May 18, 2005 6:19 am
by james_p
Hi every one Im web master of http://www.topcreators.com . I have a client for whom im developing a shopping web site. I just want to know your suggestions which is the most secure language PHP or ASP my client is realy worried because of security reasons. please guide me with some examples.

Thanks!!

Posted: Wed May 18, 2005 6:33 am
by John Cartwright
Well, this has been debated ever since the beginning of time.
I would probably have to say PHP because it is updated a lot more frequently with bug fixes than ASP. But really, it comes down to the coder. I would suggest reading up on a lot of security sources.

:arrow: http://php.net/security has a lot of good sources. Enjoy.

thank you very much!!

Posted: Wed May 18, 2005 6:36 am
by james_p
Jcart wrote:Well, this has been debated ever since the beginning of time.
I would probably have to say PHP because it is updated a lot more frequently with bug fixes than ASP. But really, it comes down to the coder. I would suggest reading up on a lot of security sources.

:arrow: http://php.net/security has a lot of good sources. Enjoy.
sure I will read it right now. please suggest me some other web site where i a can find more on this topic.

Thanks!!

Posted: Thu May 19, 2005 12:54 pm
by hanji
There also other considerations to think of. I would say that you can do WAY more damage with ASP/SQLServer websites in accordance with SQL-Injection attacks than you would with PHP/MySQL. When I'm saying ASP, I'm talking about standard ASP not ASP.NET.

SQLInjection attacks against SQLServer can lead to complete server ownership, data mining (extracting all data from the database). Bear in mind that SQLInjection can happen with PHP/MySQL but you are limited to a certain extent. For instance, SQL Server uses the sysobjects table where a tool like (Absinthe [blind sql injection tool] http://www.0x90.org/releases/absinthe/ to extract all data from the database. MySQL does not have sysobjects 'like' table so this is much harder to pull this information. Also SQLServer uses dangerous stored procedures that are installed by default, such as xp_cmdshell, where a command can be crafted through the URL and injected in the SQL to shutdown the server, upload files, etc.. basically leading to complete compromise. SQLInjection can be avoided by proper coding.

In my experience I've seen a lot of vulnerable ASP applications.. usually due to poor programming and poor server management. If you code securely and maintain the server.. both of the languages can be quite secure.

Another point, as far as I know.. ASP doesn't have the flexibility to maintain control of it's functions/files (again referring to ASP not ASP.NET). I like the ability to manipulate the php.ini file or adjust settings in vhost server file to restrict PHP in my environment. Also the ability to add safe mode and open_base_dir restrictions are a plus.

Here are some features I implement:
safe_mode http://us2.php.net/features.safe-mode
open_base_dir limits the user to specific directories, prevents badguys from accessing other files
safe_mode_exec_dir restricts what directories and their programs can be executed
disable_functions I like to disable functions like exec, shell_cmd, etc

I hope this helps.
I didn't intend to upset any ASP coders out there.. Like I said.. it comes down to coding practices.

hanji