I was in the process of implementing a high end web app for financial transactions (high end does not mean complex, but mission critical).
Some developer told me that php is not really that secure and does not reflect a professional image which kind of surprised me.... Do you agree for any reason with him? Do you think it does not make it look professional? Is PHP not secure?
I just want to see if anyone agrees with some explanation b/c I do not agree at all.
thank you.

Whats their reasoning?

While PHP is good for quick websites, I would not recommend it for mission critical systems.

If I see PHP for any financial company, I personally, would not take them serious.

PHP can be secure, but is harder to maintain and keep it secure.

You usually have a certain structure.

Suppose you have the pages:
Login -> View Bank Statement

Then you later want to add more security measures. Adding new pages makes it more confusing and difficult to manage, which can lead to more security holes.

Login -> Username -> Show user image -> Enter PIN -> View Statement

With ASP.NET, one page usually submits to itself. Meaning, there is only one place to change the source code for each page.

With Java, you can use Struts for the Model-View-Controller design pattern, making it also easy to maintain.

Yes, PHP can have a similar MVC concept, but again, I wouldn't trust it right away. I haven't really seen it proven in mission critical software. Correct me if I'm wrong, but since PHP is interpreted, all of the source code must be placed on the server. This means that anybody that has access to the server can easily obtain plaintext passwords to get into the site. With Java and ASP.NET, the code is compiled and uploaded. Therefore, the plaintext is not uploaded to the server.

...

This means that anybody that has access to the server can easily obtain plaintext passwords to get into the site. With Java and ASP.NET, the code is compiled and uploaded. Therefore, the plaintext is not uploaded to the server.

If you are storing mission critical passowrds in plaintext on your server you shouldn't be coding anything anyway.

This means that anybody that has access to the server can easily obtain plaintext passwords to get into the site.
You also have security issues if someone that's not supposed to be on your site has access to your server in the first place.

You usually have a certain structure.

Suppose you have the pages:
Login -> View Bank Statement

Then you later want to add more security measures. Adding new pages makes it more confusing and difficult to manage, which can lead to more security holes.

Login -> Username -> Show user image -> Enter PIN -> View Statement

With ASP.NET, one page usually submits to itself. Meaning, there is only one place to change the source code for each page.

With Java, you can use Struts for the Model-View-Controller design pattern, making it also easy to maintain.

Yes, PHP can have a similar MVC concept, but again, I wouldn't trust it right away. I haven't really seen it proven in mission critical software. Correct me if I'm wrong, but since PHP is interpreted, all of the source code must be placed on the server. This means that anybody that has access to the server can easily obtain plaintext passwords to get into the site. With Java and ASP.NET, the code is compiled and uploaded. Therefore, the plaintext is not uploaded to the server.

I am not sure what you are talking about, PHP can do the exact same things that ASP.NET can - just because you or people you know program in the two languages differently does not mean that the language is incapable of doing something. I personally code nearly all of my websites in PHP with a few larger pages with classes and includes.

PHP is as secure as the programmer, but in comparison to a language such as java which will complain about every data type mismatch, it does have some flaws.

PHP can be compiled/optimized/obfuscated using utilities such as Zend Encoder or IonCube, and ASP.NET is usually used in a non-compiled state, very similar to PHP.

Many people on this forum will trust what other people say, so please try to be accurate in your posts so you do not scare people away from doing certain things that you simply do not prefer.

PHP is very secure when implemented properly. The very nature of PHP lends itself to this, the flexibility also means vulnerabilities. I know of a few billion dollar businesses that do their coding PHP for their backends.

While PHP is good for quick websites, I would not recommend it for mission critical systems.

If I see PHP for any financial company, I personally, would not take them serious.

PHP can be secure, but is harder to maintain and keep it secure.

You usually have a certain structure.

Suppose you have the pages:
Login -> View Bank Statement

Then you later want to add more security measures. Adding new pages makes it more confusing and difficult to manage, which can lead to more security holes.

Login -> Username -> Show user image -> Enter PIN -> View Statement

With ASP.NET, one page usually submits to itself. Meaning, there is only one place to change the source code for each page.

With Java, you can use Struts for the Model-View-Controller design pattern, making it also easy to maintain.

Yes, PHP can have a similar MVC concept, but again, I wouldn't trust it right away. I haven't really seen it proven in mission critical software. Correct me if I'm wrong, but since PHP is interpreted, all of the source code must be placed on the server. This means that anybody that has access to the server can easily obtain plaintext passwords to get into the site. With Java and ASP.NET, the code is compiled and uploaded. Therefore, the plaintext is not uploaded to the server.


:rofl:


I think that the database choice is more of a factor in mission critical software rather than language that outputs the info. But perhaps the person who's storing passwords in a plain text file might think differently :D

PHP is not less or more secure than other languages or systems. The problem is actually its simpleness. PHP has a very flat learning curve, hence making it easy for unexperienced developers to quickly come up with a solution. While the actual functionality often works the problem is more hidden. Due to lack of experience such applications often have serious security leaks. Because of that many people then unfortunately accuse the language rather than the developer.

To sum it up, security does not depend on the language but on the experience of the developer.

While PHP is good for quick websites, I would not recommend it for mission critical systems.
I would understand if you were recommended some platform you know lot about but I do not see how you can recommended not to use something you obviously know nothing about.


If I see PHP for any financial company, I personally, would not take them serious.

PHP can be secure, but is harder to maintain and keep it secure.

I am not sure what you are talking about

You usually have a certain structure.

Suppose you have the pages:
Login -> View Bank Statement

Then you later want to add more security measures. Adding new pages makes it more confusing and difficult to manage, which can lead to more security holes.


Login -> Username -> Show user image -> Enter PIN -> View Statement

With ASP.NET, one page usually submits to itself. Meaning, there is only one place to change the source code for each page.

With Java, you can use Struts for the Model-View-Controller design pattern, making it also easy to maintain.

Yes, PHP can have a similar MVC concept, but again, I wouldn't trust it right away. I haven't really seen it proven in mission critical software. Correct me if I'm wrong, but since PHP is interpreted, all of the source code must be placed on the server. This means that anybody that has access to the server can easily obtain plaintext passwords to get into the site. With Java and ASP.NET, the code is compiled and uploaded. Therefore, the plaintext is not uploaded to the server.

I am not sure where do I start here. Just the way you approach the project (looking at it as independent pages that could have clear text passwords in it) tells me that you do not have good grasp of web development.

You brought up few points:
- authentication
My framework for an example is module based. Each module simply needs to be declared as "secure" if it would like to be served over SSL only, or "requireauth" if it required authenticated user. Individual pages are not relevant too much. There is single access point in the site where, in only couple hundreds lines of code, all security and authentication is handled. It is simply not possible to show someone something they are not suppose to see.

- clear text passwords
My SQL passwords and other credentials that project might use are stored in encrypted files. The file encryption method is located in an encoded library that can be included only in very specific way so someone obtaining entire source of the site does not mean that they would be able get those credentials. User passwords are stored in MYSQL database encrypted using EAS and the key needed for decryption combines with some other info to become useful (the key itself is kept encrypted in a file, and mechanism is hidden in the encoded file). If someone would obtain the code and start playing with it, I would be notified and the project would self-destruct.

- human readable source
as you see above large chunks of the code are not in clear text but rather they are encoded. The stuff that is in clear text is not critical and it is just there to expose some parts that might need adjustments by third party in the future.

I CAN say stuff like:
ASP sucks
PHP 3 sucks
ASP.net with C# is good but depends on programmer
PHP4 is good but depends on programmer
PHP5 is good but depends on programmer
Perl is good but depends on programmer
Python is good but I hate it
... because I use those technologies and have more years of experience with some of them then I would like to admit. But you, based on your post, you simply have no knowledge or understanding of them to state "PHP is not good".

Please read my whole post, especially the third sentence:
PHP can be secure, but is harder to maintain and keep it secure.


If you are storing mission critical passowrds in plaintext on your server you shouldn't be coding anything anyway.

PHP is a scripting language. The whole code that you're uploading is in plaintext, so when you're connecting to a database, you need to store the password in the code. Therefore, the password is stored in plaintext.

Your webhost (for example) has access to these files. I've heard stories where the webhost liked a script written by one of their clients, and used it. For security reasons, in PHP, you better manage your own datacenter.

Of course this will cause controversy in a PHP-loving forum, but like I said, it's not proven. In other words, show me one mission-critical software in the financial industry written in PHP.


I am not sure what you are talking about, PHP can do the exact same things that ASP.NET can - just because you or people you know program in the two languages differently does not mean that the language is incapable of doing something. I personally code nearly all of my websites in PHP with a few larger pages with classes and includes.


Where did I say it could not? I said, because of the structure/framework you're following, it is harder to manage, and easier to make security holes. Yes, it's still up to the developer. Go back to that page example.
Login -> Bank Statement

Now you create more security features in the future.
Login -> Show user image -> Enter PIN -> View Statement

To make this change, you have to change the Login script to make in now point to Username. You have to change View Statement, to make sure it is accepting the new values. This is to make a change in between pages. This is also a simple example, and requires the developer to know what each page does. So if you switch developers (one quits, leaves, etc.), that new developer would have to sit there and learn the whole structure/framework of the application before getting to work. This page goes to that, and this goes there.

Of course it's possible to make all of that secured, but it requires more work, and more areas prone to errors.


I think that the database choice is more of a factor in mission critical software rather than language that outputs the info. But perhaps the person who's storing passwords in a plain text file might think differently

Database yes, but language also. Just like C would be a better than say, Python, for the large amount of calculations required for certain mission critical software.

The simple point is this. The more code you write, the more likely you're prone to errors. A 1,000,000 line of code software is more likely to have more security issues than a 30 line code.

With PHP, you're writing more code. You're writing code to determine where the next page goes and what data it should accept from a previous page. So again, back to the sentence on my first post.
PHP can be secure, but is harder to maintain and keep it secure.

For the record, I code in PHP mainly, and ASP.NET sparely.

PHP is a scripting language. The whole code that you're uploading is in plaintext, so when you're connecting to a database, you need to store the password in the code. Therefore, the password is stored in plaintext.
The password can be encrypted. Of course someone determined enough will always be able to decrypt it, but this can happen with each language and is not PHP specific (at some point the password becomes plaintext in each language).

As others already said, if someone has already access to your machine you have more to worry about than just whether something is stored in plaintext or not.

Your webhost (for example) has access to these files. I've heard stories where the webhost liked a script written by one of their clients, and used it. For security reasons, in PHP, you better manage your own datacenter.
This can happen with any application written in any language, be it PHP, Java, C#, C or Perl.

- clear text passwords
My SQL passwords and other credentials that project might use are stored in encrypted files. The file encryption method is located in an encoded library that can be included only in very specific way so someone obtaining entire source of the site does not mean that they would be able get those credentials. User passwords are stored in MYSQL database encrypted using EAS and the key needed for decryption combines with some other info to become useful (the key itself is kept encrypted in a file, and mechanism is hidden in the encoded file). If someone would obtain the code and start playing with it, I would be notified and the project would self-destruct.


Even if you encrypt the passwords in a file, wouldn't your method of decryption be in the source code.

Even if you encrypt the passwords in a file, wouldn't your method of decryption be in the source code.
Correct, but the same applies to other languages.

The password can be encrypted. Of course someone determined enough will always be able to decrypt it, but this can happen with each language and is not PHP specific (at some point the password becomes plaintext in each language).


Decrpytion algorithm in plaintext source code is as good as storing in plaintext.


As others already said, if someone has already access to your machine you have more to worry about than just whether something is stored in plaintext or not.


I was talking more about the webhost, administrator, etc.



This can happen with any application written in any language, be it PHP, Java, C#, C or Perl.

Yes, but with ASP.NET and Java, you're uploading the compiled file and not the source code. If the file is compiled, binary file... it's harder to get the source code.

Yes, but with ASP.NET and Java, you're uploading the compiled file and not the source code. If the file is compiled, binary text... it's harder to get the source code.
Especially with .NET and Java reverse engineering the code is only a matter of seconds, so its not harder at all.

Even if you encrypt the passwords in a file, wouldn't your method of decryption be in the source code.

No, because as I said before, these functions are in encoded files themselves. I have directory called base that has base/classes and base/lib. Each file in there is encoded and checks how it was included and if the environment is not the way it expects it - it enters "panic" mode (sending me an email with all details it gathers, dropping databases and removing encrypted files). That way the site becomes empty shell that is useless to anyone.

No, because as I said before, these functions are in encoded files themselves. I have directory called base that has base/classes and base/lib. Each file checks how it was included and if the environment is not the way it expects it - it enters "panic" mode (sending me an email with all details it gathers, dropping databases and removing encrypted files). That way the site becomes empty shell that is useless to anyone.
In this point MrMan has a case. Your encryption makes it a bit harder but not impossible. If someone is actually on your machine your encryption mechanism wont stand a second.

I was talking more about the webhost, administrator, etc.

If server administrator wants to find out something about your data, he'll look directly into the database. Your point is completely flawed and you really don't know what you're talking about. And even if a webhost did hijack your script, there are laws about copyright that protect people who develop apps.

Also, if you plan to deploy enterprise level data on a shared host environment, you should be sentenced to jail.
Every mid to advanced web developer has at least controlled deployment environment (his own web-server).

I suggest you read the reply that was saying that php code can be encoded. Reading all replies might save you from sprouting nonsense.

In this point MrMan has a case. Your encryption makes it a bit harder but not impossible. If someone is actually on your machine your encryption mechanism wont stand a second.

OK, lets assume someone is on machine and someone knows which file contains some secret key. In order to obtain that key someone would have to locate the function that can decrypt this file. That function is called by another function and both of them are in encoded files which are not human readable. Any unexpected calls to these functions will make the site enter "panic" mode. Any calls from different environment (if someone made copy of the site in different location) will make the site enter panic mode. I will not say it is impossible to obtain the key but it would be easier to find me and physically force me to give you the key then to extract it from the site.

If server administrator wants to find out something about your data, he'll look directly into the database. Your point is completely flawed and you really don't know what you're talking about.


Any database material you don't want anybody reading, including the administrator, is encrypted.


And even if a webhost did hijack your script, there are laws about copyright that protect people who develop apps.


Bad guys don't respect the law.


Also, if you plan to deploy enterprise level data on a shared host environment, you should be sentenced to jail.
Every mid to advanced web developer has at least controlled deployment environment (his own web-server).


But not everybody can afford managing a datacenter. We're not talking about enterprise, we're talking about mission-criticial. In other words, software that is required to run to keep the company going.


I suggest you read the reply that was saying that php code can be encoded. Reading all replies might save you from sprouting nonsense.

If you encrypt it, and the decryption method is available... that's as good as saying, my password is in that safe, and the key is here... now figure out how to get it.

What is being determined is how the decryption method is not available through the source code. Eventually, the applicaton is told how to decrypt it.

I will not say it is impossible to obtain the key but it would be easier to find me and physically force me to give you the key then to extract it from the site.
This, I doubt.

As far as it seems you are using some kind of obfuscation and self-developed code-encryption. Someone just a "little" bit experienced with PHP and development in general will be able to crack it within one or two hours as maximum.

If you encrypt it, and the decryption method is available... that's as good as saying, my password is in that safe, and the key is here... now figure out how to get it.

What is being determined is how the decryption method is not available through the source code. Eventually, the applicaton is told how to decrypt it.
Thats all correct, but not a PHP specific problem but applies to all languages. If you have the data and the decryption mechanism in the same location you will always have problems.

I usually encrypt sensitive data such as passwords (sha1) and credit card information (mcrypt).

Note: we're already past phps' security.

Bad guys don't respect the law.

Great comment, can't argue with you here. :rofl:

But not everybody can afford managing a datacenter. We're not talking about enterprise, we're talking about mission-criticial. In other words, software that is required to run to keep the company going.

Dedicated web server costs arround $100 a month. If a company can't afford THAT much a month, it's not really a company I'd go into business with. But then again, there are products like IonCube and ZendEncoder.

If you encrypt it, and the decryption method is available... that's as good as saying, my password is in that safe, and the key is here... now figure out how to get it.

And this is the sentence that shows you don't know ANYTHING about PHP so you can't even say it's insecure. Please, read before you post or at least ask someone if you don't know - php files encoded with ZendEncoder and IonCube can't be "decrypted".

Why? Because both encrypt compiled byte code rather than plain-text one. So even if you somehow decrypted it, you wouldn't get plain-text code.

You have any "I heard that..." stories left or we can conclude that your arguments are wrong?

This, I doubt.

As far as it seems you are using some kind of obfuscation and self-developed code-encryption. Someone just a "little" bit experienced with PHP and development in general will be able to crack it within one or two hours as maximum.

The problem for that someone is that all components involved: the library that runs encoded php code and the php code itself are not human readable and they are "booby trapped" just waiting for that someone to try something. Someone with enough resources and time would eventually do it, but chances are I would be aware of those attempts way before it would get to that point.

And this is the sentence that shows you don't know ANYTHING about PHP so you can't even say it's insecure. Please, read before you post or at least ask someone if you don't know - php files encoded with ZendEncoder and IonCube can't be "decrypted".

Why? Because both encrypt compiled byte code rather than plain-text one. So even if you somehow decrypted it, you wouldn't get plain-text code.
So far the discussion did not involve third-party tools but only the out-of-the-box installations and with such one an encryption of data really makes it only a bit harder to get the data.

Using a code encrypter like you mentioned - although even those were already cracked to some extent - certainly makes it much harder or even "impossible" to read the source code.

The problem for that someone is that all components involved: the library that runs encoded php code and the php code itself are not human readable and they are "booby trapped" just waiting for that someone to try something. Someone with enough resources and time would eventually do it, but chances are I would be aware of those attempts way before it would get to that point.
Well that always depends how good you monitor your machines, but as I said such an encryption makes it harder but not impossible at all. Depending on the obfuscation layers you put there it is a matter of 15 minutes to 4 hours.

First of all, there are too many "what-if" cases going on here. MrMan assumed that any host will go and steal your code. Yes, the code can't be encrypted by using languages' default means, but if you need that extra bit of security (and performance) - you can get it.

Second, even if you don't encode your php files and your web host steals your script - you have law protecting you and you can (and should) prosecute the one who stole your code. This part of the argument hasn't got ANYTHING with how secure the language is. I could also add that if web host that hosted your asp.net app can shut you down from accessing your app and start using it as their own. Does that make asp.net insecure?

PHP allows you to do a lot and a lot of people don't know what they're doing (when including files, cleaning user-recieved input and issuing SQL queries). That's not languages' fault, it's developers' fault.

And this is the sentence that shows you don't know ANYTHING about PHP so you can't even say it's insecure. Please, read before you post or at least ask someone if you don't know - php files encoded with ZendEncoder and IonCube can't be "decrypted".

Why? Because both encrypt compiled byte code rather than plain-text one. So even if you somehow decrypted it, you wouldn't get plain-text code.


Here are people complaining that ZendEncoder was cracked.
http://www.litfuel.net/plush/?postid=109

While I'm sure that may have been a previous edition, they can no longer make that claim, as it's only a matter of time.

Well, time to go to work... will discuss tonight.

PHP allows you to do a lot and a lot of people don't know what they're doing (when including files, cleaning user-recieved input and issuing SQL queries). That's not languages' fault, it's developers' fault.
What I wrote hours ago :).

Great, can we have examples from 1999 telling us how bad php is while we're at it? Please?

What i see is one person talking about how bad php is, stating all kind of different examples of it, yet, (s)he does not mention a better language which doesn't have these flaws, nor does (s)he take into consideration that if a person is inside the system itself, not matter what code you're using will be insecure, if a person get's inside your server, it's the server security, not the php security which is failing you...

If you wish to secure php, get ioncube, and read up on all the different ways an outsider could exploit your code, as said many times before, security is a question of the coder, not the language... PHP, if coded correctly, is just as secure as any other language, unless you develop your own which will still be insecure, but harder to crash never the less...

There's a general thought that php is insecure, vunerable to everything, slow and that you can't develop enterprise-level web apps using php.

So far, none of the above have been proved. The truth is that there are some design flaws in php, but it's nothing that makes php vunerable, insecure, slow etc.

https://billing.yahoo.com/services/services_center.php

is that mission-critical?

I'd add:

www.flickr.com (php + mysql)
www.wikipedia.org (php + postgres)

Also, did anyone notice how ASP.NET powered sites rarely use search-engine friendly URL layout or is it just me?

Also, did anyone notice how ASP.NET powered sites rarely use search-engine friendly URL layout or is it just me?
Lets not move now into a PHP is better than .NET direction.

I didn't try to do that zoid.

It's just that asp.net framework is so awesome, it delivers mission-critical software, it even cooks your coffee and for just a mere $199 you can even have search engine friendly urls!

Sorry, I just couldn't help myself :D

I didn't try to do that zoid.

It's just that asp.net framework is so awesome, it delivers mission-critical software, it even cooks your coffee and for just a mere $199 you can even have search engine friendly urls!

Sorry, I just couldn't help myself :D
I see your point. However thats the problem when people who are unfamiliar with all exact details want to make statements about certain things. I dont want to criticise or offend MrMan, we all had to learn from scratch and he/she was right in some points, but thats what it comes down to.

MrMan has a good point. PHP is not only readable by any one with access but easily tampered with.

With binary executable to have to option to have technicians who even if they had write access to the file would not beable to make any alterations.

Another factor is code signing, binary code can be signed and before the host OS executes the binary it can validate its signatue, thats not very easy with an interpreted language.

I think the main reasons that PHP has no place in "mission critical" roles are that theres no large corp behind it, and it is so variable.

I know PHP has a big following, but its OSS. Java (J2EE) has Sun Microsystems backing it, ASP/.NET has MS.. Thats some major support from some dinosaur crops, you know Java will still be there next year when you come to hiring a new lead developer.

PHP is so variable from platform to platform, most of its behaviour can be redefined in its .ini. That is an amazing benefit in situations when L.A.M.P. servers are normaly deployed, but its not something you want your online backing running on.

I didn't try to do that zoid.

It's just that asp.net framework is so awesome, it delivers mission-critical software, it even cooks your coffee and for just a mere $199 you can even have search engine friendly urls!

Sorry, I just couldn't help myself :D

acctually you can get them for free mod_rewrite is advaiable for iis too.

php is lacking in several things (from a dev view) that means in my opionion in large/complex apps it becomes unmanagable. which makes it hard to secure etc etc.

Another way to look at it is that no one ever got fired for recommending ibm, mircosoft or sun - its a safe choice in a coporate enviroment, where cost is less of an issue.

google tend to use java for alot of there stuff. idk if that would influence anyone :P youtube uses java too i think...

I think the main reasons that PHP has no place in "mission critical" roles are that theres no large corp behind it, and it is so variable.


You must be right, IBM and Yahoo! are small fry.

Can someone provide us with the cost for developing asp.net site (without paying for the developer)?

This is becoming ridiculous, more and more replies that are simply wrong. Has anyone here had a host that hijacked his or hers script? I'd like to receive input from people who develop(ed) php sites that were once hacked because the language sucks.


php is lacking in several things (from a dev view) that means in my opionion in large/complex apps it becomes unmanagable. which makes it hard to secure etc etc.


Can you provide an example please? Can you describe what a large or complex application is? Just to get the terms straight.

Yahoo! is by no means mission critical IMO, they don't "back" php.. they USE PHP.. Anything IBM does that IS mission critical is done in their own env WebSphere.

So whats your point?

Where's my point? Where's your point? There are numerous sites created via php, large companies such as Yahoo! and IBM are helping Zend promote PHP and you're asking me where's my point? So far, nobody gave an exact example of:

1.) That php is insecure because it "sucks"
2.) That php ISN'T backed by a "big" company
3.) That php can be hacked by anyone anytime
4.) That applications made in php cannot be maintained
5.) That php isn't fast

But also, there are examples of sites that use php (and mysql) and have a huge incoming visits and, newsflash - are performing extremely well.

Please, use real-world examples to prove points 1 - 5 (but without pasting some Symfony framework examples, I've NEVER heard of it except when it came to comparison).

Just because there are some people here who are incompetent to write modular, maintainable code in php, that doesn't mean language sucks but someone else.

Also, since php is extremely similar to C, how come that no one says "Hey, apps writen in C are unmaintainable because C sucks!"?

google tend to use java for alot of there stuff. idk if that would influence anyone :P youtube uses java too i think...

I beleieve that gogole uses a lot python > Java

Maxymizer you're either delibertly disregarding my point or you don' get it. Zend back PHP, Yahoo and co. promot Zend. Zend are not a "big corp" IMO. Bigger than a lot of groups, but they're no SUNW or MSFT, that I gave in my example of J2 and .NET.

I didn't say PHP was slow Maxymizer, but now you bring it up.. some reading material for you: http://shootout.alioth.debian.org/

Wow, reading material, for me :)

I'm out of this discussion, it's becoming a kids fight. Once again, Java and asp.net are winners. I'll go and pick up on my left-behind learning on Java and asp.net so I can convert all my work to "pwn" languages, since this thread really convinced me that I work in an insecure, flawed, slow environment. And it's even free :(

I figgered you hadn't seen that shoot out since you seemed to think that C and PHP were the same speed, given any task. It was point number 5 in your list of proofs you requiered.

Also, since php is extremely similar to C..

As for that, wtf are you smoking? They're not even in the same class of languages. One is compiled and machine specifc, has access to IO, has manual memory management and no garbage collection. The other is a SCRIPTING LANGUAGE.

Xeentech, PHP borrows from C's syntax. I thought I didn't have to explicitly WRITE that they're not in the same class nor they can be compared speed-wise, but seems I was wrong.

My point was - since those 2 are similar in syntax, how come you can write maintainable code in C and not in PHP? Where's the logic in that?

Namespace, loadable object code, compiled object files, shared libs and verbose debuggers.. I know there are IDEs for PHP.. Its not just some huge conspiracy that every one is telling you its hard to maintain PHP code in a huge project, its really true. No one here actualy said "php sucks", you're just reading that some how. Well sasha did, but I don't thin they were serious.

And then again, I'm asking you to define a huge project. I'd like to compare a huge project written in asp.net (or Java / Python) to a php counterpart. I *strongly* believe that you can have maintainable PHP code if you have a framework with strong set of rules. I'm aware of PHP's flaws, but again - in my 7 year experience with PHP I never had any problems going back to my old code and extending it when necessary, but I see people are complaining about maintainability and NO ONE is giving any examples..am I asking too much?

I think its more an issue of group maintainability, many people working on one project.

PHP may have the same syntax as in function (args) { } but what language doesn't these days? Some of the fucntions even have similar names to C function, which I think was misguided since they don't function in the same way.

The languages don't have the same structure though. In C for example easy easier to do a group project, or even multigroups out of the box. Things like stick typing for example, it just aids in maintainability. PHP was not designed with that in mind and for good reason.

Xeentech, we're running in a circle here.

I used to work in a (small) group. We used a framework with strict rules and Subversion for controlling who did what (and so on, I guess you're familiar with version control). I never had any problems editing someones' code.

It's true that C and PHP operate differently, but my key point was the syntax layout (nevermind that they both have common function names and functions operate differently).

If you wouldn't be able to organize your code somehow, then there's really no point in using PHP (or any language). But if Flickr, which grows by day, uses PHP then there must be something to it.

Like I said, PHP is good for Flickr, works well. You think Flickr is mission critical? That was the OP question you know..

A site that does 4+ billion (mysql) queries a day, transferring data using php is pretty much mission critical to me.

You have a different idea of "mission criticality" than I do then. A photo blogging site is by no means of critical importance to me. Judging by the performance of flickr.com of late I suspect Yahoo! have the same opinion.

mission critical to me means the FPGA microcontroller that runs a FAB, has 10 guys program and debug it and has 20 guys work QA. Or an online banking site that has direct contact with the outside world.

In other words things that can go really badly wrong. If flickr serves me the wrong picture, or god forbid didn't load.. Does that matter? Sure its annoying, but you hit refresh and it works and all is well. Not mission critical.

So you cant have mission critical programs/scripts unless you're a big company or dealing with money? IMO, you can have mission critical scripts no matter how big or small your site/company is, it all depends on your mission... If Yahoo!'s mission is to make money, and they code thier pay system in php, how is that script not critical for thier mission?

I think you're all runing in circles cause you all have different definitions of what the terms you're using means... And this is a topic which will have developers jumping on eachother until the end of the world... I mean, if a programming language has been supported for more than a year, it must bring something to the table and have both it's good and bad sides, if it was crap it wouldn't have survied... The original question is answered i think, yes, PHP is secure IF YOU CODE IT RIGHT! But there are indeed some more secure languages out there, i don't have enough experience with them all to tell you which, but they all all have downfalls, there is no universal ultimate scripting or programing language which "owns" all others, and you two/three/four discussing in this thread will never reach an answer, at least not with the immaturity in which you bitch at eachother :) No offence meant, this is just like the "Does god exsist?" question which will have any forum of people discussing until the end of their days, heck, we have a 250 paged topic about it, and trust me, there is no straight answer, just like there isn't one to which scripting language is the best, it all depends on your mission and your experience...

You have a different idea of "mission criticality" than I do then. A photo blogging site is by no means of critical importance to me. Judging by the performance of flickr.com of late I suspect Yahoo! have the same opinion.

mission critical to me means the FPGA microcontroller that runs a FAB, has 10 guys program and debug it and has 20 guys work QA. Or an online banking site that has direct contact with the outside world.

In other words things that can go really badly wrong. If flickr serves me the wrong picture, or god forbid didn't load.. Does that matter? Sure its annoying, but you hit refresh and it works and all is well. Not mission critical.

Well you should have said what you consider mission critical. In case of online-banking, I'd be crazy to use anything less than Oracle. And I'm still convinced that even in online-banking case, PHP can perform well, if not outstanding. Even in such case, it's the RDBMS that matters.

I used flickr as an example of a site that operates well under high traffic.

Care to explain what's FPGA micro controller and what it has to do with websites? I don't feel like googling this one.

Thats an example of what mission critical is in my field, not web services related at all, but the idea of criticality is specific to web services either.

mission critical:
"Literally, any operation that cannot tolerate intervention, compromise or shutdown during the performance of its critical function. Mission critical environments usually support health, safety, security and human welfare."

Most other definitions I can find are along the same lines.

We were talking about web apps. You could have given examples of internet-banking and CC processing to denote the level of mission-critical.

Thats a good point, because a lot of people see CC processing as non-mission critical. Might sound crazy to you. From a computer science point of view its not. At any point in a credit card transaction you can bail out and there is no problem is starting again.

It has to be designed that way since you could lose the power on your POS machine, or lose your internet connection to your gateway.

mission critical to me means the FPGA microcontroller that runs a FAB, has 10 guys program and debug it and has 20 guys work QA. Or an online banking site that has direct contact with the outside world.
Would that be kind of like Capital One, a fortune 500 company with online banking, that runs their site on PHP?

ok guys and girls. thank you all for the replies. That was too much info.
brendandonhu kind of hit it.
This is what I was kind of asking. Capital One uses PHP for their site, however, when you navigate more they have .do for their onlinebanking and aspx in other locations.
I was planning on designing some type of online banking, but it is going to be in php since it is what I know best and comfortable with (since I can scure it). there are tons of carts and ecommerce sites that are run on php so the question of security is not really the question as it is all over the net. it is more of the programmer to have it locked down which I beleive I can do. the question is, have you seen financial transactions websites that run on php, do they reflect a bad image!!!!

You must be right, IBM and Yahoo! are small fry.

Can someone provide us with the cost for developing asp.net site (without paying for the developer)?

This is becoming ridiculous, more and more replies that are simply wrong. Has anyone here had a host that hijacked his or hers script? I'd like to receive input from people who develop(ed) php sites that were once hacked because the language sucks.



Can you provide an example please? Can you describe what a large or complex application is? Just to get the terms straight.

you're right. it's getting ridiculous but i'll offer you two example.

Dell run their site since ASP to now ASP.net. Did anyone ever heard of Dell got hacked while there are literaly thousand of LAMP sites/app got pwned. the most recent one: http://news.com.com/2100-7349_3-6067955.html

it's dated back May of this year.

LAMP vs J2EE vs ASP.net vs whatever. it all come down to your codefu and adminfu.

no reason to aruge which is better but i think PHP is crippled so Zend can make money http://www.bitstorm.org/edwin/en/php/

Your milage may vary.

Many of you are misinterpreting what I wrote. Never did I say that PHP was 'bad'. I never said that PHP is not capable of creating enterprise applications. If you can find anywhere I said those statements, please show me.

All I said was that, YES it is possible to write a secure application in PHP, BUT it will require more code, and writing more code = more prone to bugs.

I also said that PHP is stored in plaintext, because it is an interpreted language. I'm not talking about somebody that shouldn't have access access to a website, and now you have a security issue. Rather, I'm talking about people that have easy access to it because they may have the rights to. The webmaster, who updates the website, can look at the php code and see the passwords to the database. The webhost who may need to troubleshoot something and see the passwords in plaintext.

With Java and ASP.NET, the code is in binary, not plaintext. If you open it with a text editor, you cannot understand it.

Capital One uses PHP for their site, however, when you navigate more they have .do for their onlinebanking and aspx in other locations.

Yes, .do is Java using Struts, and aspx is ASP.NET.


https://billing.yahoo.com/services/services_center.php

is that mission-critical?


I wrote:
https://billing.yahoo.com/services/services_center.aspx
https://billing.yahoo.com/services/services_center.jsp

and it takes me to the same site. It means nothing to me.

maxymizer and many others are big supporters of PHP and may have missed the point.
First, I said, I mainly code in PHP. I never said PHP was bad. I never said it was not capable.
Second, I never recommended a specific framework.
Third, PHP is not the answer to everything. The initial poster asked about an application for financial transactions. Now he's saying he wanted to use it for a bank application.

I already gave my opinion, and the remainder of the posts were mostly misinterpreted responses to my opinion. So instead of responding to my reply... why don't you guys answer the initial question and let's see what you come up with.

Many of you are misinterpreting what I wrote. Never did I say that PHP was 'bad'. I never said that PHP is not capable of creating enterprise applications. If you can find anywhere I said those statements, please show me.

All I said was that, YES it is possible to write a secure application in PHP, BUT it will require more code, and writing more code = more prone to bugs.

I also said that PHP is stored in plaintext, because it is an interpreted language. I'm not talking about somebody that shouldn't have access access to a website, and now you have a security issue. Rather, I'm talking about people that have easy access to it because they may have the rights to. The webmaster, who updates the website, can look at the php code and see the passwords to the database. The webhost who may need to troubleshoot something and see the passwords in plaintext.

With Java and ASP.NET, the code is in binary, not plaintext. If you open it with a text editor, you cannot understand it.



Yes, .do is Java using Struts, and aspx is ASP.NET.



I wrote:
https://billing.yahoo.com/services/services_center.aspx
https://billing.yahoo.com/services/services_center.jsp

and it takes me to the same site. It means nothing to me.

maxymizer and many others are big supporters of PHP and may have missed the point.
First, I said, I mainly code in PHP. I never said PHP was bad. I never said it was not capable.
Second, I never recommended a specific framework.
Third, PHP is not the answer to everything. The initial poster asked about an application for financial transactions. Now he's saying he wanted to use it for a bank application.

I already gave my opinion, and the remainder of the posts were mostly misinterpreted responses to my opinion. So instead of responding to my reply... why don't you guys answer the initial question and let's see what you come up with.

Correct... It is a financial app where clients can login and see their balance... it is nothing like onlinebanking. it is very simple. as matter of fact, all it does is pull a pdf file and make it visible to download. I just want to see if this is repected to the eyes of the clients who can be a little computer savvy. many points have been pointed out. (we have our own datacenter where the server is hosted so this is not my worries, it is a dedicated server as well) Now with all the info you all provided "helpful" I get the difference. Now I would be intrested to see if any company that has some financial app that runs on php. :)
Thank you all.

Wow, quite a cat fight going on in here. This will be a long post, so you have been warned :)

First, let me tackle this comment:

You have a different idea of "mission criticality" than I do then. A photo blogging site is by no means of critical importance to me. Judging by the performance of flickr.com of late I suspect Yahoo! have the same opinion.

mission critical to me means the FPGA microcontroller that runs a FAB, has 10 guys program and debug it and has 20 guys work QA. Or an online banking site that has direct contact with the outside world.

In other words things that can go really badly wrong. If flickr serves me the wrong picture, or god forbid didn't load.. Does that matter? Sure its annoying, but you hit refresh and it works and all is well. Not mission critical.

You actually don't realize a simple point -- mission critical is defined by the business owner, not by the end user. So what to you seems business critical, seems to be circling around the operations side.

Sure, to you as a user of flickr, a site not loading may seem that Yahoo doesn't consider it mission critical, but the point you are missing is that you don't decide that on Yahoo's behalf.

To expand on your example, for Yahoo, flikr that generates a lot of revenue from advertising and clicks is important. I'm not using the word "mission critical" here because automatically people assume this must mean some operational component (as you pointed out in your example).

Also, you have another misconception:

mission critical to me means the FPGA microcontroller that runs a FAB, has 10 guys program and debug it and has 20 guys work QA. Or an online banking site that has direct contact with the outside world.

Just because a company is throwing people at something, doesn't mean its mission critical. Your FPGA microcontroller may only be responsible for a LED display that ouputs data from a third party; it just might be overly complex that it needs that many people -- it might have a bad implementation or a poor programming syntax or many other reasons for the delegation of manpower.

Contact with the outside world doesn't make it mission critical, unless you are NASA and are talking about a transmitter on the ISS.

So, lets stop defining mission critical -- unless you talk about you own business and what is mission critical for you.

Mr.Man brought up a point that you all missed:



I wrote:
https://billing.yahoo.com/services/services_center.aspx
https://billing.yahoo.com/services/services_center.jsp

and it takes me to the same site. It means nothing to me.

It is naive to assume that an extension of a file reflects the programming language behind it. As I'm sure you are all aware, PHP can be setup to respond to any extension -- so I could write a PHP application, and name all my pages with the .aspx .do or no extension at all, making people think whatever I want regarding the technology that I am using on my site.

Getting back to a bit on topic. The question asked was "is php secure and professional?"

Few things I must say before I give my opinion on this topic:

1. A language is never secure or unsecure. It is always the implementation. So to say ____ is insecure or ____ is more secure is rediculous.

2. Image and professionalism. This has a lot of influences. One is marketing and brand recognition. Depending on where you are in the world, not a lot of people know what PHP is; they still think all sites are done in FrontPage with HTML. So this image is partly the responsibility of the company behind the product. Microsoft has a great marketing machine that is flexes whenever promoting its products and services, so you hear a lot of 'buzz' around .NET. Sun does the same with its Java programming language; so these might seem professional to you.

Regardless of your own personal opinion on a language, the company behind it or anything else, when you enter a discussion like this you will always find there are people in the following camps:

1. People that have spent considerable time and energy on a particular platform or technology and see the introduction of another as a threat to them or their position (business are guilty of this -- how many times have you heard "We are a Microsoft shop" or "We are a Dell shop"). So if you are in an argument with a person who has spent considerable time on say ... Java development and you are trying to convince them of the merits of C# or the .NET platform, be prepared for some heated remarks and some stubborn replies. This is human nature.

2. People that are only familiar with the product or service discussed by what they have read on popular buzz sites and are trying to offer an opinion.

3. People that are looking for a solution to a business problem these are usually the guys that are quiet through the whole discussion, they take in opinions from both sides, and then decide how can this technology help me solve my business problem? They really don't care about the implementation.

Give you an example of how this plays out (just to avoid any confusion). Suppose there is a discussion about cars and someone (group 3 above) asks, "What is the best car I can use to get from A to B in X amount of time?"

Group 1 would respond: "You should get a Ford. They are built in the US, have great service and reliability, offer superior protection. Their engines are quality engineered and use premium components. I have been using and working on Fords for years." His counterpart, "Fords aren't really that great, I mean, look at the design? Its ugly. Gas mileage is not that great. You should go with a Toyota. They are ________. I should know, I am a Toyota certified mechanic."

Group 2 : "Yeah, I heard that Toyota model ____ gets great gas mileage and has excellent ergonomics. I think you should go to with Toyota." Heard on Car and Driver

Meanwhile, the original poser of the question : "I want to get from A to B in X amount of time, I really don't care about the car engine or if its a Ford or a Toyota or if it uses NGK or Bosch spark plugs, can it get me there with my conditions?"

Now that I have said that, here is my opinion on the topic. I have been programming in PHP for about 5 years, and also have experience in other "non-web" technologies.


The short summary: PHP is not insecure, but it makes it easy for unexperienced programmers to write unsecure code in it, due to its open nature lacking traditional language controls. It gets its unprofessional image from the fact that it is still quite a "grass roots" technology, taken up by startups and others alike, without a well known, corporate backer and years of marketing and support behind it.

The long explanation:

PHP gets the impression that it is unsecure and unprofessional because of the explosion of websites that are sprung up everyday in PHP, and the inevitable security problems due to the lack of experience of the programmers. Its strength is that its is very easy to pick up by anyone with any experience in traditional languages, which is why you see a lot of PHP scripts that tackle just about any business problem. However, this same strength leads to unsecure applications because the people that are developing them are not experienced programmers, so they do not realize the proper way of development to avoid security problems.

The other problem that PHP faces is that there is no standardized framework for it -- Zend is dealing with this as fast as they can as they try to push out their Zend framework. A standardized framework that is backed by a company or organization gives the impression that the language or platform backer is serious about its future and has invested time and energy into it; this is a bit of a problem with PHP since Zend really is not doing that great with its PR and marketing.

The reason that IBM and Oracle back Zend with their certified stacks is because these companies (that have both been dealing with businesses for longer than Zend has been in existence) realize that PHP, or rather the shift from traditional to more agile development is taking place in businesses; so they want to ensure that their components are compatible with this technological shift. It does add merit to PHP and it helps, but only if you present this as a case with the other arguments FOR PHP, which are:

1. Easy to understand by seasoned developers -- flat learning curve. PHP achieves this by borrowing syntax from other well known languages; hence it is easier for businesses to start a new project in PHP rather than train people in another language that has a steep learning curve.

2. PHP is designed specifically for web development hence it is not a "bolt on" attachment to another language that is there to capitalize on web projects. Its sole purpose is to develop web applications,and therefore it is not burdened as are other traditional languages offering a web component.

3. It integrates well with third party libraries.

I did not mention open source, free, etc. as for businesses, these are rarely talking points -- if you are a business and you are serious, you think in terms of productivity gains not really if a thing is open source or free.

I hope this helps, and please -- the above is my opinion -- so take it as such.

Our business uses a combination of PHP5 & Postgres to build high load applications used by upwards of 20,000 users in some instances.

Granted not ALL implementations of our software are used to that extent, but when it does, it holds up fine. We have multiple state-wide government contracts in both the marketing, and legal industries.

I see no more problem with PHP being insecure than ASP, Perl, or any other web based language. I find that more often than not, security issues in web apps are a result of the programmers lack of experience than the languages functionality.

We commonly store personal medical and financial data. As long as you follow common sense security practices there should be no problems with breaches of information.

No matter how "secure" the language you use, if you don't know how to use it, it's not going to do you much good.

Also, I completely disagree on PHP not being flexible. We have implemented a system using PHP and mod_rewrite to VERY easily customize an iteration of our software for a particular client. PHP is probably one of the MOST flexible web based languages and has often been referred to as the as the Visual Basic of the web.

To date, I haven't run into any tasks that couldn't be completed in PHP that I had to resort to another web based language for.

However, as always, your mileage may vary.

PHP is probably one of the MOST flexible web based languages and has often been referred to as the as the Visual Basic of the web.

Heh, I don't know if I like that analogy or not; I don't like Visual Basic too much :D

I also heard that Lufthansa's online reservation system runs on PHP, but I cannot find the link to it now.

Our business uses a combination of PHP5 & Postgres

Do you also use MySQL, or pure Postgres?

We use PHP5, Postgres, Apache2 + mod_rewrite + webdav.

We used to use mysql, but as the software progressed and became more complex, Postgres was just a better fit, so everything was migrated over.

I thought I would chime in here, with a few points.

1. I feel PHP is secure, I use it every day, and and I like using it.

2. If you have a project and you have a developer that has been using PHP for 5+ years and a developer who has been using (insert other language here) for 6 months straight out of college who are you going to pick to write your mission critical code all things considered. If thats all you know about them and that is your only 2 options.

3. My definition of mission critical is anything that will effect your customers, for example I could queue up credit card transactions if the processor goes down and the customers wouldn't notice, but if a shared hosting email server went down for more than 5 minutes, it will light up your support phone. Or at least thats what I have heard :) Mission critical doesn't have to do with money.

4. If someone is looking through your source files even if they don't have your passwords in them, you have more important things to worry about. This applies to shared or dedicated hosting.


When determining something like this it really comes down too, what do you / your developer feel most comfortable using. Telling a developer we need to use (insert language here) because they said so on some forum, is most likely not going to yield the best project no matter the way you look at it.

All the languages are definitely becoming easier to use and are evolving every day. Its a toolbox and it should be up to the person heading up the project to pick the right tool for the job.

php is secure, the problem is the code.

there are tons of carts and ecommerce sites that are run on php
and quite a few of them get hacked. you are better writing a custom solution. quite a few of these carts are poorly written and insecure.

The reason why a php program is insecure is not php, its the code. however the problem with php it is so easy to start coding it, alot of people do code it who dont understand the secuity implications of what they are doing.

i think comparing VB to php is a fair comparison. Both are extremly powerful programming languages. Both are easy to learn but hard to master. Alot of people who critisied VB never realised you can do pretty much anything in VB you can do in any other language including true multithreading (before vb.net thats not the same)

php is secure, the problem is the code.

To be honest, that's exactly what I've been thinking the entire time I've been reading these posts. If I wrote a simple script with a flaw across all of the languages, they will all be vulnerable to the problem. How can you say "php is better" or "asp.net is better" or "xxx is better" when they all fail to this. The bottom line in my opinion, as it's been said a few times, is your script is as secure as you make it

Personally, I prefer PHP over any other language because it's been the most dynamic and 'nice' language to me. I don't mean overall, I'm just talking about with me.

And to be honest, you can tell me 'asp will be better with this one' all you want. I can achieve the same exact answer with PHP if I wanted to. PHP can be compiled as well. And the 'plaintext' example for security, it's not plaintext if when I hit submit I have JavaScript encrypt it and then pass it to PHP, who encrypts it again until it hits the database, in which it's encrypted again. You can achieve the same result with any language if you put effort into it.

Besides, if I program in PHP - I'm still going to use JavaScript as well (you know, if I feel like it). I mean, come on. "You're promoting PHP and now--" Look. It's reality. I can put as many languages on there as I want, and use whatever I want. If you can do it in ASP and I can do it in PHP and JavaScript, guess what? It's still done. That's the bottom line.

As for security. Who said you need the source code to break into a website? Once again, it all comes down to how secure you make your code. If you don't use PHP and your source is compiled and encrypted to the max and is unhackable and unbreakable (yeah right) but I can go to yourdomain.com?admin=1 and get access to everything, where's the flaw? The programmer or the program?

Just my 2 cents. (I havn't posted in so long.. and I come back to this, I feel like I'm home again! :))

Have a good one WHT.

I wrote:
https://billing.yahoo.com/services/services_center.aspx
https://billing.yahoo.com/services/services_center.jsp

and it takes me to the same site. It means nothing to me.

Just a quick note.

I've read last month an article on a french magasine (Programmez!) there was an interview with the creator of PHP Rasmuf Lerdoff. He explained that he "sold" the idea of PHP to Yahoo.com. Therefore, all the frontend of yahoo.com is in php and the backend is soon to follow. I assume it is currently the case.

https://billing.yahoo.com/services/services_center.php
is that mission-critical?

edit: Didn't realize someone had dealt with this already:

https://billing.yahoo.com/services/services_center.PORNO will take you to their login page, too. curl -I for that url or its redirect target will not tell you what the underlying implementation is, either. For all we know its a custom server written in assembly language.

Hiding the *implementation* is something many sites do (and should do more of). I rather prefer users not to know what is driving a site, partly for security through obscurity reasons (what limited value that may bring) but mostly so that as the underlying implementation changes -- and it likely will for any site of significance -- the URL's do not need to.

File extensions by language is just so... Nineties!

Yes, PHP can have a similar MVC concept, but again, I wouldn't trust it right away. I haven't really seen it proven in mission critical software. Correct me if I'm wrong, but since PHP is interpreted, all of the source code must be placed on the server. This means that anybody that has access to the server can easily obtain plaintext passwords to get into the site. With Java and ASP.NET, the code is compiled and uploaded. Therefore, the plaintext is not uploaded to the server.

I do not agree, there's plenty of Java desasembler which returns you the original code which you can then modify the way you want to.

I don't think you should base your judgement of what language has been use. The real question is IMO does it answer your need (stability, security, etc..).

G

Again, I never stated that PHP is less secure, or ASP.NET is more secure. The responses only made it look like it. That was not the argument and the replies only made it a "this language is better than that".

All I did was state the FACT that because PHP is interpreted, the code must be in plaintext, and that a web administrator and webhost can easily look at these files.

I also stated the FACT that if I have two pages, 'Login' and 'Show Statement', and I decide to make a change to have more pages between the two, a lot more work is required than if another language is used.

This is no different than saying with C, you are more prone to buffer overflow vulnerabilities than Java. Of course the developer can prevent buffer overflow attacks by writing secure code, but it would require more work and more code... and in my opinion, the more code you write, the more other bugs are likely.

We have 5 pages of responses, but none attempted to answer the question after mine.

Would you use PHP for a financial application? Would you want your bank to use PHP for transactions? Do you feel comfortable? Do you feel secured? These are the questions that should be answered in this post, and I think what the original poster is looking for.

I also stated the FACT that if I have two pages, 'Login' and 'Show Statement', and I decide to make a change to have more pages between the two, a lot more work is required than if another language is used.
That doesn't even make sense...why is it that you think adding another page to your site in PHP requires more work than other languages?

That doesn't even make sense...why is it that you think adding another page to your site in PHP requires more work than other languages?

Suppose I add the Security page.

Login -> Security -> Show Statement

I would have to make a change in 'Login' to now point to 'Security' and code in 'Security' to point to 'Show Statement'. In other words, we need to make changes in several pages. The developer needs to know which pages goes where. If the original developer leaves the company, the new developer has to sit there and learn the structure of the whole site. Assuming there are hundreds of pages, that's a waste of time.

With an MVC model, such as Java and Struts, there is a configuration file that basically controls which page goes to what. Therefore, there is no need to modify any previous code, just make a change in one file. No need to understand every piece of code in the whole application.

I'm not saying PHP doesn't have an MVC. In fact, Zend is creating one:
http://framework.zend.com/

But it is still premature (it is in preview and not meant for production). Therefore it is not suitable for a financial application.

Somebody please give the original poster an answer. I would like to hear other people's opinions and/or solutions. This isn't a PHP versus other languages, but rather, would you use PHP for a financial application. The more we discuss my opinion, the more off topic we are going.

And that would be incorrect, because PHP programmers do use MVC and other design patterns. There are also templating engines that can do the same thing.

And that would be incorrect, because PHP programmers do use MVC and other design patterns. There are also templating engines that can do the same thing.


Of course they do. But I haven't seen it in a financial application (which is what the original question is about, and what I am answering). So you must have seen it, and would recommend for a bank application then?

The programming language doesn't know or care if you're creating a financial application or a homepage for your dog. What does the content of the site have to do with using MVC?

Well, although many languages can do many things, there are preferred languages for certain applications. In my opinion, I wouldn't recommend using PHP for a financial application based on my own reasons. Just like I wouldn't recommend using Java for a high graphic, heavy-calculations video game and instead would use C or C++. In this case, it's not the developer but the language that determines how well the game can run. In other words, if we have two developers of equal skill (one using Java, one using C) and creates the game, the C programming language would be the better choice for this specific application.

With that said, the framework is just as important. If you want a secure application, you want it to be easily maintained, manageable, and easy for the developers to understand.

The game example shows that it's not just a "depends on the developer" question, but rather... would you recommend using the PHP language for this specific application, a bank application? Do you feel safe using it?

There are technical reasons that C might outperform Java in high-powered graphics. How about an actual technical reason that PHP is insecure? That would be more convincing than telling us that you have "your own reasons."

All we've heard so far is something about other languages making it easier to add more links to your page, hardly has anything to do with security.

Did you miss the part when I said that PHP is interpreted and the source code is in plaintext when stored on the server, making it easy for web administrators and other people who should have permission to the site, have the ability to view the code and learn about access to the other parts that they shouldn't, like the database.

And from my very first reply, I never said PHP was insecure.

And so you would recommend your bank to use PHP for their applications? Why are we avoiding the original post?

Did you miss the part when I said that PHP is interpreted and the source code is in plaintext when stored on the server?
You could encode your PHP source to make it unreadable if you wanted, but that isn't needed for security, since being interpreted doesn't make it vulnerable. If it did, the tens of millions of websites written in unencoded PHP, Perl, Python, and Ruby would be vulnerable.

Any site written in any language (PHP, C, ASP, ColdFusion, whatever) is already compromised if someone has unauthorized access to the files on your server, whether they can see the source or not. Even if it were in a compiled language, that doesn't stop reverse engineering (and any app can be reverse engineered), and doesn't do anything to protect databases where the valuable info is usually stored. Any professional programmer is aware that sensitive data needs to be encrypted and stored securely, this is independent of language. And if your host goes through your files to steal data from your scripts, your problem is a sleazy webhost, not the programming language.

And so you would recommend your bank to use PHP for their applications?
I, along with most of the rest of the world, don't care what programming language my bank uses as long as it works and it's secure.

Ok all. Now back to the original question LOL..... I had no idea was going to go to 6+pages. Have you seen any sites that have some financial app in php... Some reputable company? I very well understood that php is so secure unless I screw up in my code. ;)

Any site written in any language (PHP, C, ASP, ColdFusion, whatever) is already compromised if someone has unauthorized access to the files on your server, whether they can see the source or not.


Who said anything about unauthorized access on the files? Suppose a web admin has access to the site, but should not have access to the database. Maybe he should be able to change some text in the file. However, this also does not prevent him from seeing database information.


Even if it were in a compiled language, that doesn't stop reverse engineering (and any app can be reverse engineered), and doesn't do anything to protect databases where the valuable info is usually stored. Any professional programmer is aware that sensitive data needs to be encrypted and stored securely, this is independent of language. And if your host goes through your files to steal data from your scripts, your problem is a sleazy webhost, not the programming language.


This requires more knowledge. Everybody knows security is never 100%, and a determined hacker can break into the site. A binary file is harder than plaintext.


I, along with most of the rest of the world, don't care what programming language my bank uses as long as it works and it's secure.

Most of the rest of the world don't care because they don't know programming languages.

Ok all. Now back to the original question LOL..... I had no idea was going to go to 6+pages. Have you seen any sites that have some financial app in php... Some reputable company? I very well understood that php is so secure unless I screw up in my code. ;)

I have not seen any financial application written in PHP. Most financial applications that I have seen are written in Java (and its web technologies) due to portability, support, amount of experts in the field, availability of experts, easy intercommunication with other applications (API).

Sorry if most of the responses were replies to my reply. I wish they could answer your post, as I too, am interested in seeing others point of view, their solution, and their answer to your question.

Who said anything about unauthorized access on the files? Suppose a web admin has access to the site, but should not have access to the database. Maybe he should be able to change some text in the file. However, this also does not prevent him from seeing database information.
Then you should put a password on your database that the person doesn't know. This has nothing to do with PHP at all.

A binary file is harder than plaintext.
Any experienced programmer will probably tell you that security through obscurity is nearly worthless. An insecure compiled script is exploited just the same as an insecure PHP script. Web apps often have problems with database injection, email injection, cross site scripting, full path disclosure, session hijacking, etc., none of these vulnerabilities would be affected by whether you use plaintext of binary files.

Have you seen any sites that have some financial app in php... Some reputable company?
Yes, a lot of sites use PHP for eCommerce and credit card processing. Most of the merchant account providers/gateways offer interfaces for doing transactions with PHP. Like someone said earlier, large companies like Yahoo are making the switch to PHP.

MrMan you are going back and forth with this financial bit. You treat it as though some bank is going to hire some teenager on WHT to host a bank web site on their site5 dreamhost account.

It doesn't work that way. You seem knowledgeable enough to know that.

Then you should put a password on your database that the person doesn't know. This has nothing to do with PHP at all.

When you connect to the database with PHP, you put the password in the script.


Any experienced programmer will probably tell you that security through obscurity is nearly worthless. An insecure compiled script is exploited just the same as an insecure PHP script. Web apps often have problems with database injection, email injection, cross site scripting, full path disclosure, session hijacking, etc., none of these vulnerabilities would be affected by whether you use plaintext of binary files.

A security expert will tell you about defense-in-depth. Decompiling a binary file is not as easy as you think it is. If it is, then proprietary file formats would not exist. When was the last time you decompiled a file? When was the last time you opened a plaintext file? Which was easier? Also, a compiled program was not designed to obfuscate. It just so happens that it has that characteristic, which I would prefer.

There's a reason we put up firewalls. Even though sophisticated hackers can get around it, we still prevent access from basic attacks. Again, why make it easy?

MrMan you are going back and forth with this financial bit. You treat it as though some bank is going to hire some teenager on WHT to host a bank web site on their site5 dreamhost account.

It doesn't work that way. You seem knowledgeable enough to know that.

Marble, you're absolutely right. The reason I keep going back is because they're avoiding the original question. The original poster said he wants to create a similar application of a bank.

I simply stated my opinion, and people seem angered as I said PHP sucks, or PHP is not capable (which I never did).

I am interested in seeing a proven financial application / bank application that uses PHP. Yahoo moving towards PHP is not proven. They're moving towards, not been using it for years and years.

In my opinion, not all languages are good enough to handle ALL types of web applications.

Anyway, I said my opinion, made my argument, have not heard other opinions/suggestions. I'm done. You know where I stand. Oh yea, my sites below are most likely going to be in PHP. :)

http://www.capitalone.com/ -- uses some php
http://www.bankofamerica.com/index.cfm -- cold fusion
https://www.paypal.com/ -- uses cgi-bin (perl?)

Often its hard to tell exactly what they are using without more searching as they use .html or no extensions. And most likely they don't use one technology. They could build a web framework out of php, but all the actual transaction is happening in java. Its not so cut and dry.

My point is there are plenty of technologies out there. If you are going to be setting up some "mission critical" bank-like site then asking your buddy or cousin if php is secure tells me you have no idea what you getting into (the OP). There are laws and regulations on how you handle money and credit information on the net. So if the OP is serious about having a big financial web site then you need to consider what type of hosting environment you are dealing with. All this talk about plain text files .. blah blah would really only matter if you write bad code and host in an insecure environment, which is illegal when dealing with finance (the latter).

The OP should be talking to a reputable company that develops software and be willing to shell out some hefty cash if they are really serious about making a mission-critical web site that has financial data.

The largest problem imposed by MrMan is that your mission-critical banking software can be hijacked by your sleazy web hosting provider :D

I know of no proven banking software. I don't even know about asp.net or Java banking software.
I don't even see why the language is the issue in banking software. Most of the critical data will be handled by the database, not the language itself. I don't even see why you wouldn't use php encoded with IonCube / ZendEncoder and create banking software using Oracle as your database.

It's not like php will drop an array or two when collecting customers' name and last name :D

Your key argument is that php is plain text. Yes, it is plain text but there are means to obfuscate and encode php scripts. Yes, it's not out of the box solution but third-party one but it's available. And as I said before, anyone doing any serious web apps will be doing them in a controlled environment or they'll be encoding them to avoid issues you mentioned (code theft).

We've been dragging this back and forth, there's still no proof that PHP can't do a certain web-based job (but no, it's not an FPGA controller or whatever).
There's also no proof about insecurity or its inability to allow you to create maintainable software.

When you connect to the database with PHP, you put the password in the script.
That's kind of how databases work. Any script in any language that connects to a database needs the password to do so, whether it's in PHP or C. It's not as difficult as you might think to pull a string out of a binary file. This doesn't make it any less secure-- if you don't want someone to have access to your database, you obviously wouldn't allow them to access a file with your database password in it in the first place.

WHT runs on PHP with the database password stored in a file. Why hasn't it been hacked yet?

And for financial applications using PHP, see stormpay.com and cdgcommerce.com.

The largest problem imposed by MrMan is that your mission-critical banking software can be hijacked by your sleazy web hosting provider :D

I know of no proven banking software. I don't even know about asp.net or Java banking software.
I don't even see why the language is the issue in banking software. Most of the critical data will be handled by the database, not the language itself. I don't even see why you wouldn't use php encoded with IonCube / ZendEncoder and create banking software using Oracle as your database.

It's not like php will drop an array or two when collecting customers' name and last name :D

Your key argument is that php is plain text. Yes, it is plain text but there are means to obfuscate and encode php scripts. Yes, it's not out of the box solution but third-party one but it's available. And as I said before, anyone doing any serious web apps will be doing them in a controlled environment or they'll be encoding them to avoid issues you mentioned (code theft).

We've been dragging this back and forth, there's still no proof that PHP can't do a certain web-based job (but no, it's not an FPGA controller or whatever).
There's also no proof about insecurity or its inability to allow you to create maintainable software.

Wellsfargo is Java and Dell is ASP.net. both are mission critical. Wellsfargo use java for their online banking system while Dell's site process million of orders everyday.

Financial applications that use PHP? Granted it may not be exactly what you're looking for, but what about the obvious? Modernbill, ClientExec, WHMCS, etc etc.. All of these are based on PHP and I don't know about you, but I'd bet your customers consider their financial data pretty sensitive.

I personally would have no problem with my bank using PHP. US Bank uses a combination of Cold Fusion, ASP, and Java. If they threw PHP in there, I'd have no concerns about it.

I like this thread :)

#1 You can't compare PHP to ASP.net. PHP is language, ASP.net is technology. VB.NET, C#, J# are languages.

#2 There's no secure programming language however some of them provide more security by default. From personal experience, I prefer .net when developing commercial applications.

#3 Your mission critical application will never be 100% secure. There's always something that analysts / programmers / testers miss.

You can compare php with asp.net since they are both application server layer technologies. So I would say that is very accurate.

Any script in any language that connects to a database needs the password to do so, whether it's in PHP or C. It's not as difficult as you might think to pull a string out of a binary file. This doesn't make it any less secure-- if you don't want someone to have access to your database, you obviously wouldn't allow them to access a file with your database password in it in the first place.

Brendan is quite right on this. It's fair to say though that in terms of stripping out strings, it's not hard to obfuscate them so that you can't see them trivially. We do this with some of our own products so that running a tool such as Unix strings reveals only what we want people to see if they are poking around, and we also have some fun with the symbols, but this only stops someone trivially seeing the strings.

PHP has a bigger problem, which is where Brendans second point really hits the nail, in that it's opensource. Encoding files of course makes sense, but even doing this, calls to mysql_connect still head out into the world of open source code and the potential for someone changing it and logging the username and password to a file. Therefore it's important to avoid a) the PHP installation on the machine where scripts run from being compromised, and b) for scripts not to be runnable on a separate system that might well be running a modified PHP because it's in the home of a hacker. If the files are encoded then there's at least a window of opportunity within which to detect the intrusion and shutdown the system before a hacker has had time to setup a system that can coax the encoded scripts into making the mysql connect with their modified PHP, discover the password, and then come back to try and take advantage of it. However, as Brendan says, as far as possible you need to prevent access to the scripts in the first place, and have systems in place that have a good chance of detecting and raising an alert of an intruder when and if it happens.

With security you really have to ask yourself "what if" all the time, or at least until you reach a comfort zone where a breach becomes not a problem. Most of us will put locks on our houses as that stops easy theft. But we have to ask "what if" we still get burgled? To minimise the damage if the locks get broken we take out insurance. But "what if" the insurance doesn't cover us? To mimise that risk you would use a well known insurer and check the small print for clauses that might exclude those items that are the most valuable. "what if" items are irreplacable? Well that's tricky, but if it's data or sourcecode, you can keep copies offsite, have fake copies made of valuable jewelery and use the fakes etc.

Same with servers. "what if" my server goes offline for a few hours. "what if" my hard drive fails? "what if" my server goes offline forever? "what if" my server gets hacked? "what if" I collect credit card details and my database files get stolen? There are answers to all of these things and the risks can be reduced, but you have to ask the questions in the first place otherwise a system built with any technology may have an unacceptably high degree of risk.

You can compare php with asp.net since they are both application server layer technologies. So I would say that is very accurate.

Did you even understand what you typed?


Even though ASP.NET takes its name from Microsoft's old web development technology, ASP, the two differ significantly. Microsoft has completely rebuilt ASP.NET, based on the Common Language Runtime (CLR) shared by all Microsoft .NET applications. Programmers can write ASP.NET code using any of the different programming languages supported by the .NET Framework, usually C#, Visual Basic.NET, or JScript .NET, but also including open-source languages such as Perl and Python. ASP.NET has performance benefits over other script-based technologies because the server-side code is compiled to one or a few DLL files on a web server.


http://en.wikipedia.org/wiki/ASP.NET

With security you really have to ask yourself "what if" all the time, or at least until you reach a comfort zone where a breach becomes not a problem. Most of us will put locks on our houses as that stops easy theft. But we have to ask "what if" we still get burgled? To minimise the damage if the locks get broken we take out insurance. But "what if" the insurance doesn't cover us? To mimise that risk you would use a well known insurer and check the small print for clauses that might exclude those items that are the most valuable. "what if" items are irreplacable? Well that's tricky, but if it's data or sourcecode, you can keep copies offsite, have fake copies made of valuable jewelery and use the fakes etc.

Not to start a separate debate, because I do agree to an extent, but if someone wants what you have bad enough, all the security in the world won't do you much good. You could put 20 locks on your door and have a vicious guard dog... however, "WHAT IF" someone drives their cargo van through the front of your house with a box full of steaks? LOL. I'm sure it's happened somewhere at sometime and I wonder what the equivalent of that would be concerning protecting source code and passwords? Maybe someone gaining physical access to the server and walking away with it? Just something to think about I guess.

Security is in place to provide the following:

1. Deterrence
2. Audit
3. Recovery

It does not provide "protection". Hell, even one of the earliest security device ever made (the lock) is not 'pick proof' -- they are rated on 'pick resistance'; basically, how long it can resist being picked by a skilled thief.

"What if" scenarios are not really in the realm of security; if you ask anyone they can come up with a few more "what ifs" for your application, and this quickly gets out of hand.

For any application; developed in any language you must start off with the three points I mentioned above in mind, and relate them to your application. In addition -- think of the following questions:

1. What is the value of the data?

2. What is the risk associated with the data?

3. What is the acceptable risk for this application?

Note: These questions are not to be decided by the programmer, the network admin or the database admin. These are all answered by the data owners. You as programmers must ASK these questions of the data owners.

Once you get the answers to these questions above, then you will be better prepared to program the security in your application. So, if the risk is minimal, you don't need an encrypted database; however, if the risk is high -- maybe you want to think about not outsourcing your hosting and getting a dedicated server in house that you can monitor and control.

If you start thinking in a bit more abstract way, as I have exampled above; then the decision on language/platform doesn't become as important -- because no matter which platform you go with; you will know exactly what needs securing and to what degree, then you can use the tools provided to you for your chosen platform to provide those controls.

Not to start a separate debate, because I do agree to an extent, but if someone wants what you have bad enough, all the security in the world won't do you much good. You could put 20 locks on your door and have a vicious guard dog... however, "WHAT IF" someone drives their cargo van through the front of your house with a box full of steaks?

LOL, and this is exactly my point. You want the security otherwise it's a sure thing that you're going to be constantly suffering the results of not having any because people will take advantage of the lack of it, but you may still need to face the reality that someone could still drive through the front of the house, come down the chimney, go through the sewer system and come up through the floor, break into the less secure neighbours next door who are away on holiday and smash through the wall into your property if the building have a party wall etc. However, by covering yourself enough, annoying though it would be, with enough precautions the knock on effects could be minimised.

For example, to try and minimise risks to our crucial data becoming damaged we replicate databases to servers on different networks from different providers, take full database snapshots every 15 minutes and archive those for several days, and keep full database snapshots daily for months. The aim being to cover us if hardware fails, and to allow us to get back to a good state with minimal and most likely no loss of data quickly if a faulty SQL statement damages the database. And over a few years, these precautions have paid off on several occasions, both from damaged data and hardware failure.

After the first of several times that the Host Europe data centre in London, now pipex, lost power and there was no working backup power, we quickly learnt that things that should never happen most likely will.

Did you even understand what you typed?

Sorry meant asp not asp.net

Didn't even notice I typed asp.net in my response

Even if you encrypt the passwords in a file, wouldn't your method of decryption be in the source code.


what you said is right, but the concept is applied to all web programming scripts

Even if you encrypt the passwords in a file, wouldn't your method of decryption be in the source code.

I haven't read through the entire post, but for better security, you shouldn't use two-way encryption of the passwords. Instead, you can use a one-way encyrption and store the encrypted results.

Example:

iLovePron --> Two-way Encryption --> (*@HR(!@*HJKASF --> Plaintext Stored in DB --> Server unencrypts and checks iLovePron with user submitted ILovePron

iHateJebus --> One-way Encryption --> UH@UHG!@G!GH((ASD --> Encyrpted Stored in DB --> Server compares DB password with re-encrypted sumbitted data.

Exitof99, even with two way encryption, you never store plain text in the DB. I don't know where you got that idea.

Two way encryption is like this:

Plain Text -> Encrypt -> Cryptext -> Decrypt -> Plain text
What is is stored in the database is the Cryptext.

What you have described as 'one way encryption' is more like a hashing algorithm, which is thus:

Plain Text -> Algorithm -> Hash

Hash is stored in the database, then, to verify.

Plain Text -> Algorithm -> Hash. If this Hash matches that of the database, user is authenticated.

The key difference is, with the 'one way' (or hash) you cannot easily derive the plain text from the cryptext (or hash in this case).