Hi all,
I was interested in the mention a few emails back about the
claim that mSQL has poor security and that EISA has poor
form processing security. Some of you will know that Im
currently involved in a getting a web-based database setup
(http://www.caves.org.au/tenders/) using open source
software and which will be running on Linux/Apache. I'm
doing a crash course in teaching myself PHP as it will be
one of the contenders for the scripting side vs Perl and the
database will prob be mySQL.
So in this context I wanted to know what experienced
programmers though about PHP vs Perl as far as security is.
My thoughts so far having reached lesson 5 in the PHP
tutorial and noticing that the latest PHP 4.0.3 release has
some security patches is:
Pro PHP / Con Perl:
* PHP often seems easier than Perl in its syntax for many
common web/datbase queries.
* Variables from forms are automatically available to the
script they call out without parsing them.
(can this be abused/used by crackers?)
* lots of people seem to be using PHP and it seems very
"in".
* There are classes available for PHP so you can do object
orientated programming.
Con PHP/Pro Perl:
* Perl is older and more stable than PHP so may have less
opportunity for buffer overruns and other security holes.
* Perl is more stable so current apps written with Perl
5.004 will run for ages whereas a PHP 4 app might not run
when PHP 5.0 comes out say next year.
* Much of your code in PHP seems to be sent to the user when
the form is requested as its embedded in the HTML so the
user could look at this and possibly glean info that may
help them in cracking. In Perl one would tend to generate
the HTML and just send it (unless it were embedded Perl
which one can do).
There are prob lots of things that I haven't considered but
generally given that this must be a reasonably secure
database does this dictate Perl over PHP or not? Is it more
a function of how the programmer implements the code?
Mike
--
--------------------------------------------------------------------
Michael Lake
University of Technology, Sydney
Email: mailto:[EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02
9514 1628
URL: http://www.science.uts.edu.au/~michael-lake/
Linux enthusiast, active caver and interested in anything
technical.
--------------------------------------------------------------------
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
