Which is more secure? a php site or an asp one?
Me and my friend were discussing this. and I thought I ask C9ers what they thought about this ?
-
-
W3bbo
Work hard; increase production; prevent accidents, and be happy.
Both platforms are only as secure as the application written for them.
Of course, there might exist problems with HTTP buffer-overruns, but due to the simple nature of developing a secure HTTP parser this isn't likely.
I think they're both pretty secure to the point where you can't use it as an excuse for choosing one over the other.
-
I agree that the platform is only as secure as the application, but ASP.NET does provide some security checks that AFAIK PHP does not by default. For instance, ASP.NET prevents XSS attacks by default by detecting html in form inputs, and throwing an exception when they're present. Also, things like forms authentication and the new User Validation controls prevent you from re-inventing the wheel - but the wrong way...
-
W3bbo
Work hard; increase production; prevent accidents, and be happy.
Martin Carolan wrote:I agree that the platform is only as secure as the application, but ASP.NET does provide some security checks that AFAIK PHP does not by default. For instance, ASP.NET prevents XSS attacks by default by detecting html in form inputs, and throwing an exception when they're present. Also, things like forms authentication and the new User Validation controls prevent you from re-inventing the wheel - but the wrong way...
ASP.NET's built-in POST validation for angle-brackets is distracting and largely useless.
I'm sure 99% of all devvies out there are smart enough to know that most users will type angle-brackets in form fields (for innocent reasons) and don't need a Yellow Screen of Death (and know how to use HttpUtility.HtmlEncode anyway).
-
Maurits
AKA Matthew van Eerde
> Which is more secure? a php site or an asp one?
That's a bit like asking "which is safer... a blue car or a green one?"
A site that is coded by paranoid developers is always more secure than a site that is coded by rushed developers. The implementation language is beside the point. -
W3bbo
Work hard; increase production; prevent accidents, and be happy.
Maurits wrote:> Which is more secure? a php site or an asp one?
That's a bit like asking "which is safer... a blue car or a green one?"
According to New Zealand, blue is around 50% safer than green.
I win again
-
But I know For a fact, that there are more Exploits for php sites than ASP.net. Most of the new banks websites use asp sites for online banking. However some friends of mine, argue that php has more kick in it than asp interms of security, but the exploits are there
-
Maurits
AKA Matthew van Eerde
The number of known exploits for a technology is largely a function of how long it's been around, and how popular it is.
-
so your saying asp.net is the best Choice to do a secure site for the time being? because its younger than php?
-
Maurits
AKA Matthew van Eerde
No, that's not what I'm saying.
I'm saying that the security of any particular site has very little to do with the choice of CGI engine, and everything to do with the affectations of the particular developers.
If you can code more securely in ASP.NET, use that.
If you can code more securely in PHP, use that.
There's nothing intrinsically secure or insecure about either of them.
-
the same is true of programming languages? like C# versus Java and Delphi and others? and the compilers
-
Maurits
AKA Matthew van Eerde
Java and C# are more similar than they are different, yes. If you learn one, the other will seem oddly familiar.
Don't know Delphi, to be honest.
C is definitely more dangerous for an inexperienced developer than Visual Basic 6.0, say.
When considering languages, look into the availability of libraries that pertain to the task. A language is only as good as it's libraries*.
(*Perl plug: CPAN)
-
W3bbo
Work hard; increase production; prevent accidents, and be happy.
Maurits wrote:C is definitely more dangerous for an inexperienced developer than Visual Basic 6.0, say.
I wouldn't say that.
Just so long as the 'newbies' stick away from pointers and and just use the intrinstic datatypes (i.e. don't touch the Standard Library's string header yet) then I can't see how C can be dangerous.
-
AdityaG
OMG VISTA FTW LOLZ!!1one
As some people have said and seemingly being ignored, an application is only as secure as the people writing in it make the application it to be. Of course, some languages make it easier to be secure than other languages. If you are writing code in C#, its often easier to be more secure than say programming in C since you are not worrying about little cleanup chores etc. and can spend a bit of time and make use of all the tools in the language (I don't have anything against C, just using an example).
What it really comes down to is preference and most importantly purpose. Sometimes people confuse preference with fact or somehow twist things to make facts out of thin air. This is not really a flame but sometimes people don't realize it.
Btw, I am not some programming god. I am just a college sophomore who has run out of videos to watch (more videos scoble!) and has found the forums. These are my thoughts on what I have seen with discussions with friends, father and his colleagues.
My $0.02
Cheers,
Aditya
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.