Viewing Thread:
"Little Ditty for you"

Go back over the wonders of PHP and it's useage...

I've just compiled a page of links for a political site I have been working on, in all there are over 800 of them on this page...

Out of this 800+ there are:
200 using ASP and 1 using PHP! That's right... 1...

Now all of these are large global sites of major status, so if PHP is that amazing, how come only one of them uses it?

Nah, more like an Angel.. :)

Garin wrote:
> The report never claimed that the flaws didn't apply to other languages (although some of them don't btw). What it is saying is that PHP's nature makes it very easy to overlook them and more difficult to protect against them especially in the default config.

Don't go upsetting Rob now... He's the GOD of PHP!:-)

Turbonutter wrote:
> That report applies to anything. ANY script, written in PHP, ASP, Perl or fish++
> is only as secure as you write it.

The report never claimed that the flaws didn't apply to other languages (although some of them don't btw). What it is saying is that PHP's nature makes it very easy to overlook them and more difficult to protect against them especially in the default config.

That report applies to anything. ANY script, written in PHP, ASP, Perl or fish++ is only as secure as you write it. I wrote:

`ls $foo`;
?>

Then that's utterly, utterly stupid. That doesn't make PHP less secure though. However, if I put:

$foo = escapeshellcommands($foo) // I think that's the function
`ls $foo`
?>

It would be perfectly secure. Of course, if you put...

`$foo`;
?>

...you deserve to have something very nasty done to your system. The same applies to everything.

I see we are chasing our tales in this forum again, "my toys are better than your toys..." Blah blah...

Turbonutter wrote:
> Think of it this way: How many Apache-attacking viri are > there compared to IIS-attacking viri? Also, why is there
> only one (reletively minor) Linux-attacking virus and
> millions of Windows-attacking ones?

Viri that we know of! I have said before that MS gets more publicity when their stuff gets attacked, I can't remember the last time I saw a specific report on a UNIX virus.

Not only that, once a UNIX system has been infiltrated, there are shed loads of scripts out there for script kiddies to install and do some more damage with.

Also, think of it this way. One of the reasons MS systems are such a target is because they are realtively easy to use, *NIX on the other hand, is a lot harder, so less people can be arsed trying. If your *NIX system was as easy to use and had as much market penetration as MS systems you would see more people trying to break it, hack it, crack it, phreak it, whatever.

The MS Vs *nix argument is like saying "if you drive a red car, you are more likely to have an accident..." but neglecting to mention that there are physically more red cars on the road than any other colour, so of course more red cars are invoved in accidents.

> PHP is a little different though. Because you write
> it yourself, it's only as secure as the script you write.

At least this bit makes sense. Same goes for system admin though, if you change passwords and scan for viruses and back-up regularly, no matter what happens, you won't be too hard hit when the worst case scenario comes home to roost.

> The same goes for ASP. However, PHP has less HOLES than
> ASP does.

Should read "PHP has less publicsed holes than ASP" dammit. We all know that both PHP and ASP scripts can be broken, but like you say, it depends how they have been written.

Garin wrote:
> http://www.securereality.com.au/studyinscarlet.txt

Worth a read about how secure PHP is.

Excellent read... and now wavering about it!


>Personally if I was solely an ASP developer, I'd be sitting back and waiting to see what happens with .NET than worry about PHP.


Oddly enough, that what we intend to do. .NET looks very promising and as we are MS based, it would be much easier to make the switch.

http://www.securereality.com.au/studyinscarlet.txt

Worth a read about how secure PHP is. Of course can produce many rants about ASP too. But if you already work in ASP should be more aware of its short comings. Better the devil you know...

Personally if I was solely an ASP developer, I'd be sitting back and waiting to see what happens with .NET than worry about PHP. Having said that, PHP is nice and fast, and very easy to integrate with a MySQL DB (can use other DBs but a bit more fiddly I believe).

I'm happy to use both though.
Not that I ever do, I'm too idle and do everything in Perl. :)

Turbonutter wrote:
> Converting your whole setup to a Unix/Apache/PHP setup would be quite hard and probably very stupid.

I have mentioned this before... But just to implement PHP wouldn't be a problem for test purposes especially as the G4 is ready to go.

>However, if you need to add any more boxes you should consider going to a Unix setup.

I do beleive we have just purchased a Unix box!!

Converting your whole setup to a Unix/Apache/PHP setup would be quite hard and probably very stupid. However, if you need to add any more boxes you should consider going to a Unix setup. Unix servers cost nothing like the millions you have spent to get yours up and running, and maintainence should be cheaper too.

Turbonutter wrote:
> PHP is a little different though. Because you write it yourself, it's only as secure as the script you write. The same goes for ASP. However, PHP has less HOLES than ASP does.

I'm starting to see the benefits of PHP and have spent some time looking st the differences between ASP and PHP and what impact it would have on our business model (I thought I'd never see the day I'd say that) and have started to look into it as a more cost effective way of producing some of the "minor" sites we produce here. All I need to do now is convince management and our developers!!

I still want to wait and see what .NET has to offer!!