|
|
Posted by Colin McKinnon on 02/02/07 22:43
himilecyclist@yahoo.com wrote:
> We are now embarking on a similar database application, but one with
> much higher security concerns (birth data). Prior to beginning the
> project, we met with an oversight committee who strongly advised
> against PHP and suggested Java. Their concern was that PHP could not
> be trusted to handle the security of the data adequately.
>
> My team have become fairly adept PHP programmers, but we know little
> about security and other technical issues. None of us are familiar
> with Java, and due to time constraints, we are very reluctant to make
> such a drastic switch.
>
I used to be a full time PHP programmer and now look after several Java
sites which should be highly secure (mostly they are).
The flavour of problems on the Java sites are quite different from what I
saw with PHP. Regarding security, certainly PHP exposes much more of the
outside world to the application, and if handled stupidly, you can
introduce bugs in your code. However, most professional PHP programmers
know how to avoid these things. To paraphrase Bjarne Stroustrup, it's more
a case of being able to shoot yourself in the foot rather than blowing
yourself up.
If you rely on a third party framework, it will almost inevitably be
open-source, and a relatively small amount of code. Therefore easy to audit
and manage.
Once you take away the dumb PHP stuff (like include($_GET['value'])...and I
can't think of anything else) all the things which can make a PHP
application insecure can also occur in Java applications: session
hijacking/fixation, cross site scripting attacks, SQL injection, Email
injection....See also
http://www.owasp.org/index.php/Trustworthy_Java#Isn.27t_Java_a_.22secure.22_language.3F
Switching to Java means other problems too. Firstly, instead of simply
sourcing a single third-party framework, you will find yourself working
with code from multiple different suppliers. Auditing the codebase is far
from practical. I wouldn't expect someone with less than about 4 years real
experience with developing Java applications to have a full understanding
of the development system. Performance management is a total PITA.
Coming from a PHP environment, I was frankly amazed at the amount of effort
involved in deploying releases and keeping the Java system up and running.
Newbies don't program in Java because of the horrendous learning curve even
getting as far as 'Hello World'.
Any idiot can program in PHP. The problem is that they frequently do. And
then publish their half-baked code on 'Hotscripts' or similar. After all,
if someone else wants to use it do they have to construct build files and
mount containers in the URL space?
For very large projects deployed on large clusters, built by large
development teams, Java has some advantages, particularly where there are
persistent interfaces to other systems. Java has better asynchronous
messaging out of the box, and more tools for stuff like profiling and CASE.
Java guys tend to jump on this - but I don't know anyone working on a
project of this kind. Certainly for small to mid-size projects (up to 1000
KLOC / 2 million hits / day) I'd say PHP has the productivity advantage.
And its not just me - see Tim Bray's slides here
(http://www.tbray.org/talks/php.de.pdf) (Tim Bray is Director of Web
Technologies for Sun). For another comparison of productivity in both
systems - have a look for Bruce Eckel - a former Java author / evangelist
who now advocates for Python, PHP and Ruby.
I'm very wary of acting on someone's 'opinion'; ask the oversight committee
to provide justification for its assertions also ask whether they will
provide funding for retraining developers, bringing in skilled java
developers from outside your team.
HTH
C.
Navigation:
[Reply to this message]
|