Hi,

Does anybody know of any large financial institutions/banks which use PHP for their website?

Thanks,
Jatinder

No,I have seen that bank using the ASP for their website & Windows OS.

No,I have seen that bank using the ASP for their website & Windows OS.

Same here. I couldn't find a single bank which uses PHP. JSP and ASP seems to be the preferred languages for banks.

I wonder why. Maybe its because PHP is not considered secure enough.

I think most banks prefer Microsoft compared to open-source.

I think most banks prefer Microsoft compared to open-source.

Yes, you right!

:-)
A mainstream programming languages for enterprise applications are Java and .Net
still..

Same here. I couldn't find a single bank which uses PHP. JSP and ASP seems to be the preferred languages for banks.

I wonder why. Maybe its because PHP is not considered secure enough.


If you think that no financial institution uses PHP, then you haven't looked hard enough. Three very prominent financial institutions that I know of use PHP: Navy Federal Credit Union (the world's largest credit union), Capital One (5th largest deposit portfolio in the US), and ING Financial Services (ing.us, part of the world's largest financial institution). ING specifically uses Drupal, which has been a proven PHP CMS that is capable of very demanding enterprise level operations. It's anybody's guess as to their database since PHP supports so many, but I say it's likely a toss-up between an enterprise edition of MySQL or Oracle.

The fact that these institutions use PHP is a testament to the fact that PHP when coded with good security practices is every bit as capable as other server side languages in terms of security. PHP only gets a bad rep because it is relatively easy to learn and novice/beginner/hobbyist PHP programmers don't always use best security practices.

I would put money on the fact that we will see more financial institutions use PHP in the future, especially smaller institutions that want to get the best possible value for their IT dollars.

Does anybody know of any large financial institutions/banks which use PHP for their website?



Sounds like someone wants to hack a bank website ;)

Sounds like someone wants to hack a bank website ;)

There would be no need to find a bank with a PHP site to do this. All it takes is to know how to exploit potential security holes in regards to the server side language. ASP.NET is notorious for them, and I'm sure that JSP, Ruby, and Cold Fusion have them as well. I'm not letting PHP off the hook, because it has some as well.

The bottom line is that any website, regardless of the server side language used, can be very secure when the best security practices are used. PHP is no exception. The reverse holds true as well. Besides, any hacker would have to really know their sh!t to pull any bank hack off and not get caught, since it is relatively easy to track them down.

PHP was not really made for stuff like that.

PHP was not really made for stuff like that.

I beg to differ, and so do the sites that I mentioned.

If you think that no financial institution uses PHP, then you haven't looked hard enough. Three very prominent financial institutions that I know of use PHP: Navy Federal Credit Union (the world's largest credit union), Capital One (5th largest deposit portfolio in the US), and ING Financial Services (ing.us, part of the world's largest financial institution). ING specifically uses Drupal, which has been a proven PHP CMS that is capable of very demanding enterprise level operations. It's anybody's guess as to their database since PHP supports so many, but I say it's likely a toss-up between an enterprise edition of MySQL or Oracle.

The fact that these institutions use PHP is a testament to the fact that PHP when coded with good security practices is every bit as capable as other server side languages in terms of security. PHP only gets a bad rep because it is relatively easy to learn and novice/beginner/hobbyist PHP programmers don't always use best security practices.

I would put money on the fact that we will see more financial institutions use PHP in the future, especially smaller institutions that want to get the best possible value for their IT dollars.

Only ING's FRONTEND CORPORATE site (with ONLY INFORMATION) is in drupal.

ALL backend (online banking, anything requiring login) is NOT php.
====

NavyFCU's FRONTEND CORPORATE site is in PHP.

Click log in - it's no longer php.

====
Capitalone's FRONTEND CORPORATE SITE is in PHP.

https://www.capitalone.com/login.php - ALL OF THEM send you to .aspx on a different domain.


None of the examples you gave use PHP for anything more than logged-out information display.

You are right on Capital One (and likely so with ing.us), but don't forget that I bank with NavyFCU, and you are dead wrong on your assumption that they don't use PHP for their online banking. When I logged into my account, I simply tested it by adding /index.php to the url to see what happened. The results: the same page. NavyFCU uses PHP for their online banking. Fact.

You are right on Capital One (and likely so with ing.us), but don't forget that I bank with NavyFCU, and you are dead wrong on your assumption that they don't use PHP for their online banking. When I logged into my account, I simply tested it by adding /index.php to the url to see what happened. The results: the same page. NavyFCU uses PHP for their online banking. Fact.

Server: IBM_HTTP_Server
https://myaccountsaws.navyfcu.org/mfnfopwd/index.php is a 404

If you're talking about https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc, look at https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc/index.jsp or https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc/anything..

Server: IBM_HTTP_Server
https://myaccountsaws.navyfcu.org/mfnfopwd/index.php is a 404

If you're talking about https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc, look at https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc/index.jsp or https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc/anything..

I am referring to the actual logged-in side of Navy Federal's banking. Here is the address: https://myaccountsaws.navyfcu.org/nfoaa/main

I don't know if you can ping it, because you gotta log in to view the page. I can because I have a Navy Federal account. I gave you the benefit of the doubt and typed in /index.jsp after main. The result: a 404. Index.php works quite well though.

BTW, I checked out the link you sent me for Navy Federal's login. Both index.php and index.jsp can access it. I am not ruling out the possibility that JSP is being utilized in some fashion. This wouldn't surprise me since many corporate websites use multiple server-side languages/frameworks to power everything. However, the fact remains that PHP is an integrical part of NavyFCU's online banking system, and not merely to power the front-end of the bank's site.

PHP is not secure. Go to any PHP website and View Source and there you have all the other party's intellectual property exposed.

So any banking institutions using it are just inviting trouble. That's the reason and the answer to the OP's question.

PHP is not secure. Go to any PHP website and View Source and there you have all the other party's intellectual property exposed.


Is this a joke or am I not understanding this post

PHP is not secure. Go to any PHP website and View Source and there you have all the other party's intellectual property exposed.

So any banking institutions using it are just inviting trouble. That's the reason and the answer to the OP's question.

You need to be more specific about how viewing the source HTML of a PHP site "exposes the intellectual property". HTML is HTML. Regardless of the server-side language, the output to the browser is all HTML and any server side language has the potential of exposing sensitive information if the programmers are not careful enough.

PHP not secure? That is rubbish. PHP's biggest security problem has always been the programmers not coding to best security standards, not the inherent problems in PHP itself. I invite you to show me an article where a PHP site was a security failure despite the best security measures in place. I can certainly show you a few on ASP.NET, yet it hasn't deterred the bulk of the corporate world for using that platform.

As mentioned and proven in my earlier posts, NavyFCU does use PHP to run their site, front and back end. I have yet to hear of any news related to their site being hacked.

Years ago was asked about setting up a web server for a center I worked for at a University. They INSISTED on running Windows 2000 with IIS over LAMP. Reason? With Microsoft, it is paid for so you can call someone for help. NO JOKE, that was their reason. (despite that I helped maintain a college web server on LAMP, worked with instructors who set up and administered the server, and oh yeah, the university had a whole bunch of guys over in IT who maintained the main university's LAMP web servers!)

You have to figure, most banks probably started with what they had hired already back when they started online banking, which was probably not as many people sitting around that worked in LAMP environment, they probably had mostly windows developers for their software they ran at the bank.

Just a fact, you go with what you know. Decision makers know (well think they do) Windows. Back years ago, Linux was "isn't that something they experiment with?"

PHP is not secure because it is not a compiled language like ASP.NET. It is just a hacked up and put together type of language. You have dozens and dozens of framework for it.

I wouldn't say PHP is not secure. It's just a lot better to use statically compiled languages for financial stuff.

I wouldn't say PHP is not secure. It's just a lot better to use statically compiled languages for financial stuff.

well.. https://secure.wikimedia.org/wikiquote/en/wiki/Rasmus_Lerdorf

PHP is not secure because it is not a compiled language like ASP.NET. It is just a hacked up and put together type of language. You have dozens and dozens of framework for it.

Please stop. You clearly don't know what you are talking about, and your earlier posts in this thread just further prove that.

Please stop. You clearly don't know what you are talking about, and your earlier posts in this thread just further prove that.

I know what I am talking about. If anyone gets access (whether authorized or unauthorized) to the web server then all your intellectual property is exposed, all the user needs to do is examine the source of the PHP website(now think of the consequences it can have in case it is a Bank website) and all the sensitive and or confidential information is exposed. Do you understand it now?

ASP.NET on the other hand supports a compilation model. After an ASP.NET web application is compiled you get a bunch of binaries which you deploy to the web server and that's it. In this way your intellectual property (source code) is protected from exposure and from falling into wrong hands.

I know what I am talking about. If anyone gets access (whether authorized or unauthorized) to the web server then all your intellectual property is exposed, all the user needs to do is examine the source of the PHP website(now think of the consequences it can have in case it is a Bank website) and all the sensitive and or confidential information is exposed. Do you understand it now?

ASP.NET on the other hand supports a compilation model. After an ASP.NET web application is compiled you get a bunch of binaries which you deploy to the web server and that's it. In this way your intellectual property (source code) is protected from exposure and from falling into wrong hands.

If they have access to the web server, it is already too late. They have access to the data regardless of whether they can see the PHP code or not.

Besides, you do realize that ASP.NET can be decompiled right???

In this way your intellectual property (source code) is protected from exposure and from falling into wrong hands.

php + hiphop => C++ binary

@larwilliams:

If they have access to the web server, it is already too late. They have access to the data regardless of whether they can see the PHP code or not.

If you expect them to store data in plain text files then certainly it is too late.



Besides, you do realize that ASP.NET can be decompiled right???

So now you atleast seem to agree that I know what I am talking about? You definitely don't know how it all works, your above question proves that. There is a solution.



@quantumphysics:

php + hiphop => C++ binary

One of the many examples that further proves what I said earlier that "It is just a hacked up language".


PHP is not an enterprise grade language. The reason the OP started this thread is because the OP is having difficulty in finding what he is looking for and there are such reasons behind it. That's all I would add to this thread.

Go to any PHP website and View Source and there you have all the other party's intellectual property exposed.

How do you think rippers rip sites?

Seriously... Are you new to the internet? :rolleyes:

PHP is not an enterprise grade language.

Javascript is not an enterprise grade language. Right, it doesn't compile, and I can view source -- so it must not be one!

@larwilliams:

If you expect them to store data in plain text files then certainly it is too late.



So now you atleast seem to agree that I know what I am talking about? You definitely don't know how it all works, your above question proves that. There is a solution.



@quantumphysics:

One of the many examples that further proves what I said earlier that "It is just a hacked up language".


PHP is not an enterprise grade language. The reason the OP started this thread is because the OP is having difficulty in finding what he is looking for and there are such reasons behind it. That's all I would add to this thread.

If you are a half decent coder at all, you don't store sensitive data in plain sight regardless. You use a database and have the application connect to it when needed. In addition, database connection info should be stored somewhere outside of the document root so that it can only be accessed by the application or someone who has direct access to the server.

Also, I never agreed with you. I just proved that your only argument is illogical. Using a compiled binary doesn't automatically make an application secure. A poorly coded application can be written in any language. A properly coded PHP application can be more secure than a similar ASP.NET one.

The fact that you stated earlier someone could steal intellectual property on a PHP coded site simply by using the "View Source" option in a browser is just further proof you don't know what you are talking about. HTML is not the same as PHP.

Javascript is not an enterprise grade language. Right, it doesn't compile, and I can view source -- so it must not be one!
JavaScript is out of question here, the topic is about server-side languages and JavaScript is not one of them.


If you are a half decent coder at all, you don't store sensitive data in plain sight regardless. You use a database and have the application connect to it when needed. In addition, database connection info should be stored somewhere outside of the document root so that it can only be accessed by the application or someone who has direct access to the server.

Also, I never agreed with you. I just proved that your only argument is illogical. Using a compiled binary doesn't automatically make an application secure. A poorly coded application can be written in any language. A properly coded PHP application can be more secure than a similar ASP.NET one.

The fact that you stated earlier someone could steal intellectual property on a PHP coded site simply by using the "View Source" option in a browser is just further proof you don't know what you are talking about. HTML is not the same as PHP.

What are you talking about? Seriously, are you in your senses? You are saying that a PHP website whose source code can all be seen by opening it in a plain text editor is more secure than a compiled binary?? If this is what you believe then I am glad that enterprises are not taking your advice! And by the way, you proved nothing!

No one is talking about the quality of the code here, to remind you, this topic is about language and not about code quality, so your statements that "A poorly coded application can be written in any language. A properly coded PHP application can be more secure than a similar ASP.NET one." are completely pointless.

Also, I never mentioned viewing source in "browser", I clarified in detail what I meant in my previous to last post (since you were not able to understand it!) and asked you "Do you understand it now?" but you still don't seem to have understood it. PHP is available since years before ASP.NET got launched yet the OP is not able to find what he is looking for, go figure out the reasons behind this!

JavaScript is out of question here, the topic is about server-side languages and JavaScript is not one of them.
JavaScript is great on the server-side!

Enough of that. Back on topic...

@larwilliams:

If you expect them to store data in plain text files then certainly it is too late.



So now you atleast seem to agree that I know what I am talking about? You definitely don't know how it all works, your above question proves that. There is a solution.



@quantumphysics:

One of the many examples that further proves what I said earlier that "It is just a hacked up language".


PHP is not an enterprise grade language. The reason the OP started this thread is because the OP is having difficulty in finding what he is looking for and there are such reasons behind it. That's all I would add to this thread.

Wow you have no clue. Facebook is written in php, wonder why noone has the full source code for that!

Ive seen asp in plain text when I had access to a ms server. I was hired to recode it to php.

Please do not show any prospective employers this thread kid.

From what I see, mostly are using Java/JSP. Then on the backend, it's using some enterprise middleware at the backend such as Websphere, Weblogic, and JBoss.

I hardly see PHP in financial/banking environment.
Oh, here's one - http://www.cimbbank.com.sg/index.php?ch=sg_per_ca&pg=sg_per_ca_prod&ac=13

From what I see, mostly are using Java/JSP. Then on the backend, it's using some enterprise middleware at the backend such as Websphere, Weblogic, and JBoss.

I hardly see PHP in financial/banking environment.
Oh, here's one - http://www.cimbbank.com.sg/index.php?ch=sg_per_ca&pg=sg_per_ca_prod&ac=13

Yep - MQ, sybase, oracle, solaris and all those middlewares. Not mySQL, PHP, Apache, Tomcat, heh ... :stickout: ;)

I am sure PHP is good enough to handle bank. But you got no customer service for linux, that is why for big institution will prefer Windows. I think it is all about after sale service.

I am sure PHP is good enough to handle bank. But you got no customer service for linux, that is why for big institution will prefer Windows. I think it is all about after sale service.

I guess you forgot about Red Hat and IBM. Both offer after-sales support for their Linux products.

You need to be more specific about how viewing the source HTML of a PHP site "exposes the intellectual property". HTML is HTML. Regardless of the server-side language, the output to the browser is all HTML and any server side language has the potential of exposing sensitive information if the programmers are not careful enough.

PHP not secure? That is rubbish. PHP's biggest security problem has always been the programmers not coding to best security standards, not the inherent problems in PHP itself. I invite you to show me an article where a PHP site was a security failure despite the best security measures in place. I can certainly show you a few on ASP.NET, yet it hasn't deterred the bulk of the corporate world for using that platform.

As mentioned and proven in my earlier posts, NavyFCU does use PHP to run their site, front and back end. I have yet to hear of any news related to their site being hacked.

Right, the problem lies in noob's code. I LOL everyday when I see another Joomla plugion coded by a student who even don't know what the word 'security' stands for.

If we consider situation where you only can exploit web site's front end's (a typical case is that), it's definitely not PHP's fault if the code is insecure and the attacker get's through. Period.

Well this is an interesting thread, with or without the bit of mud-slinging going on.

The original question of are banking/financial institutions using PHP? (I don't know of any, but I'll be looking more now than before).

and then there is kind of an implied second question of, if not, why not?

Actually the bulk of the discussion seems to be about ASP versus PHP, but my only experience dealing with companies that cared a lot about web security, they never considered anything other than Java. The debate was about JSP, servlets, Enterprise Java beans pros and cons of how to structure the application, they all just assumed we should use Java. But, that's what the application programmers they hired were telling them to use. Not because of any real evaluation pro's/con's of the available languages.

Now, do financial institutions really care about *promoting* better internet security practices?

If they did, they would not *force* the user to permit dangerous behaviours in their secured and non-secured areas during visits to their sites.

The problem with forcing the relaxation of browser permissions on most users is that they end up fixing it, or getting it fixed by someone, by means of relaxing the *default* browser permissions. They don't know about fine grained controls, or browser zones. They just want to do their banking online.

The result is that the browser is set with dangerous permissions for all sites that the user visits, and not just the bank.

Then the browser gets infected, and the user returns to do more banking ... with predictable results.

The fascination with shiny widgets over function displayed by the typical "designer" employed by big institutions is both breathtaking and disheartening. If it's new and shiny, they want to add it to their already overladen pages.

BTW, the reason so many bank and airline sites are equally difficult to use is that the "usability manager" was at one time the same person for both. Yes, there is a single person that can be pointed at who has caused or allowed untold pain and suffering to be inflicted on millions of users.

++

... they never considered anything other than Java. The debate was about JSP, servlets, Enterprise Java beans pros and cons of how to structure the application, they all just assumed we should use Java.

Likely because all of the source data sat in DB/2 or one of the older legacy IBM mainframe data managers. IBM is big on Websphere and Java. The fact that Java leaks memory like a sieve and is as slow as cold molasses was irrelevant.

Likely because all of the source data sat in DB/2 or one of the older legacy IBM mainframe data managers. IBM is big on Websphere and Java. The fact that Java leaks memory like a sieve and is as slow as cold molasses was irrelevant.

Well the data was in DB2, now that you mention it. But PHP can talk to DB2 -- they both speak SQL fluently -- so the DB2 database shouldn't have meant we used Java over PHP, but I know no one considered PHP.

I think one programmer said "Enterprise Java Beans" a lot and it sounded so cool, that the managers figured he was really sharp and should be making all the decisions.

I think one programmer said "Enterprise Java Beans" a lot and it sounded so cool, that the managers figured he was really sharp and should be making all the decisions.

That's what you get when the other managers are eating Enterprise Jelly Beans during meetings. You know, the ones that don't leave a mess on the iphone. :D