Reply to Re: Security - PHP Vs Java

Your name:

Reply:


Posted by Michael Fesser on 02/02/07 19:12

..oO(himilecyclist@yahoo.com)

>We are now embarking on a similar database application, but one with
>much higher security concerns (birth data). Prior to beginning the
>project, we met with an oversight committee who strongly advised
>against PHP and suggested Java. Their concern was that PHP could not
>be trusted to handle the security of the data adequately.

Improperly written Java classes cannot be trusted as well. Security is
not a language feature.

>My team have become fairly adept PHP programmers, but we know little
>about security and other technical issues. None of us are familiar
>with Java, and due to time constraints, we are very reluctant to make
>such a drastic switch.
>
>I have done some brief reading regarding PHP security and it looks
>like a lot of steps can be taken to increase the security level.

Exactly. You can write secure PHP apps as well as insecure Java apps.
You always have to know what you're doing, in every language.

>Unfortunately, there appers to be quite a bias against PHP in our
>organization, which will be responsible for hosting the application.
>We will definitely be fighting an uphill battle, and are concerned
>that even if we are able to stay with PHP, if there are future
>security problems, we will really be in a bad position for having
>stayed with it.

Just some general considerations:

* keep the PHP installation up-to-date
* turn off register_globals, magic quotes, short open tag
* set error_reporting to E_ALL while developing, turn off display_errors
on the production server and use a logfile instead
* don't trust anything outside the server, validate all input data,
recent PHP is shipped with an input filter extension that might come
in handy
* use prepared statements for database operations (PDO for example)
* always use proper escaping, for example htmlspecialchars() when
printing out data to an HTML page
* never show PHP- or DB-generated error messages, define your own error
messages or error pages if necessary
* ...

Micha

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация