Calvin Austin's Blog: What PHP needs to learn from Java

My pages	Projects	Communities	java.net

Get Involved

java-net Project

Request a Project

Project Help Wanted Ads

Publicize your Project

Get Informed

java.net Online Books

java.net Archives

Get Connected

java.net Forums

Wiki and Javapedia

People, Partners, and Jobs

Java User Groups

RSS Feeds

Search

Online Books:

Advanced Search

Calvin Austin's Blog

«Java and the Titanic | Main | The unwritten story of open source java »

What PHP needs to learn from Java

Posted by calvinaustin on July 26, 2006 at 11:24 AM | Comments (3)

We all know that there isn't a single language or platform that is totally secure, much in the same way that no matter how well you secure your house, its still possible to leave a door unlocked. However if your house has few locks, open windows and is in a bad neighborhood, shouldn't you do something about it?

The house I am referring to is PHP, great for prototyping and building applications quickly, but has a long way to go before it provides the automatic piece of mind Java does. We track vulnerabilities on all platforms and applications that use PHP are often the target of attacks. Was it the application developers fault, possibly, but there is little help for PHP developers to find out if they are really writing insecure code and without a security manager like Java, any small mistake can become a big exploit.

My colleague Ezra has started a new open source php security tool to audit php applications, phpsecaudit if you have any php code lying around check it out. We are looking for other contributors too. As for me, my first choice is still Java, even if it does take longer to create something the first time around.

Bookmark blog post:

del.icio.us

Digg

DZone

Furl

Comments

Comments are listed in date ascending order (oldest first) | Post Comment

Or maybe it's just the mentality of building something fast?
Strong and convenient APIs and/or frameworks should make security as easy in one language as another (assuming the runtime itself is secure, which I assume for PHP). I've done some PHP programming, but not enough to say anything even close to authoritative.

Posted by: tjpalmer on July 27, 2006 at 08:01 AM

"Or maybe it's just the mentality of building something fast?" Probably both things. I've been burned by PHP some months ago. I had installed a PHP CMS (one of the most popular around) for my websites and I was somewhat happy because it was easy to setup. During a three-day absence because I was attending a conference with no Internet connection, a security bug was exploited and people was able to install a spammer into the CMS account. They did just a little damage as the Unix security stuff was ok - they failed to gain access as root. But I was really pi**ed off when I found that the exploitation technique was the little old trick of tweaking a URL to gain access to the filesystem. Again, in 2006?!?!?!?! Yes, it's programmers' fault, but I think that it's the language that leads - or at least opens the door - to that kind of bad programming. In a few days I've removed the PHP tool and replaced with a Java EE CMS. Not only it's much more secure, but I'm also enjoying customising it with some JSP scripting without having to learn another syntax. I'll never try PHP any longer.
Posted by: fabriziogiudici on July 28, 2006 at 12:53 AM

without a security manager like Java, any small mistake can become a big exploit
On Linux systems, doesn't SELinux and Apparmor serve a similar role as Java SecurityManager? See httpd_selinux. Hmm, maybe not yet, but it is a start.
Posted by: ahalsey on July 28, 2006 at 04:24 PM

Powered by
Movable Type 3.01D

java.net RSS Feeds