|
|
Posted by Jerry Stuckle on 02/03/07 05:37
himilecyclist@yahoo.com wrote:
> My State government organization has written a PHP/MySQL application
> which has been in production for about 6 months and has been highly
> successful.
>
> We are now embarking on a similar database application, but one with
> much higher security concerns (birth data). Prior to beginning the
> project, we met with an oversight committee who strongly advised
> against PHP and suggested Java. Their concern was that PHP could not
> be trusted to handle the security of the data adequately.
>
> My team have become fairly adept PHP programmers, but we know little
> about security and other technical issues. None of us are familiar
> with Java, and due to time constraints, we are very reluctant to make
> such a drastic switch.
>
> I have done some brief reading regarding PHP security and it looks
> like a lot of steps can be taken to increase the security level.
>
> Unfortunately, there appers to be quite a bias against PHP in our
> organization, which will be responsible for hosting the application.
> We will definitely be fighting an uphill battle, and are concerned
> that even if we are able to stay with PHP, if there are future
> security problems, we will really be in a bad position for having
> stayed with it.
>
> Any thoughts regarding this issue would be greatly appreciated. Is
> Java inherently much more secure than PHP? If my team of 3 PHP
> programmers were to make the switch to Java, about which we know
> nothing, how much time would that add to the development of a mid-
> sized application (realizing that that is a very general question)?
>
> Many thanks!
>
I started working with Java when version 1.0 was current - around 10
years ago. I've been working with PHP for about 4 years now, so I feel
competent on both.
As others have indicated, either can be secure or not secure. Perhaps
they are thinking Java is more secure because it's compiled into byte
code and PHP isn't. But if the website is properly configured, this
isn't a problem. The users won't be able to see the PHP code anyway.
And if it isn't secure, they'll be able to download the Java class files
- and from there it's a simple matter to decompile them anyway.
Otherwise, standard security procedures should be in place - like
validating *all* user input, including checkboxes/radio buttons, etc.
And you have the same precautions in both languages.
I also agree that you should stick with the language your team is more
familiar with. You'll have fewer mistakes. And if your team was more
familiar with Java, I would tell you from the little you've given us
that Java would be more appropriate.
However, there are a lot more things involved in choosing a language for
a project. And you should look into those, also.
But security is a programming issue, not a language one. It should not
be used as a criteria when writing web pages, IMHO.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|