SitePoint Sponsor

User Tag List

Results 1 to 25 of 25
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2003
    Location
    www
    Posts
    54
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is one web programming language more secure than the others?

    I am trying to understand this better.. your thoughts are greatly appreciated.
    Is one web programming language more secure than the others? Now I know that brings us the question is one operating sytem more secure then others?

  2. #2
    .NET inside archigamer's Avatar
    Join Date
    Jan 2002
    Location
    Strongsville OH
    Posts
    1,534
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes and no. First rule of thumb is a program is only as secure as it is coded to be. However some languages offer more safefalls than others.
    Web Finesse Studios
    Professional, business oriented web hosting and development.

  3. #3
    SitePoint Enthusiast
    Join Date
    Nov 2003
    Location
    www
    Posts
    54
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As in which offer these safefalls? d

  4. #4
    .NET inside archigamer's Avatar
    Join Date
    Jan 2002
    Location
    Strongsville OH
    Posts
    1,534
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well for example a strongly typed language vs a loosely typed language. In a loosely typed language (php) the language converts (automatically) the type of a variable to what is needed based on the context you use the variable. In a strongly typed language (.NET, Java) you have to explictly (do it yourself) convert the variable to the type needed.

    So lets say that in your application you have myPage.php?id=1. anyone can do myPage.php?id=delete%20*%20from%20customers
    in php, no error would occur. This could be a potential SQL injection attack. However if you tried something like that in Java or .NET, the page would throw an error, because delete%20*%20from%20customers is a string while it is looking for an integer (like 51)

    for a deeper look at SQL Injection attacks go to
    http://www.sitepoint.com/article/794
    Web Finesse Studios
    Professional, business oriented web hosting and development.

  5. #5
    ********* Wizard silver trophy Cam's Avatar
    Join Date
    Aug 2002
    Location
    Burpengary, Australia
    Posts
    4,495
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    WHat archigamer has said is true, but what he has failed to mention () is that specifically in PHP, (although I'm sure most loosely typed languages would have something like this) you as the programmer still can explicitly set a variable type. Example -
    PHP Code:
     $id intval($_GET['id']);
     
    $id = (int)$_GET['id']; 
    In both of those methods, if anything other than an integer is passed in the URL as id, the variable $id will be set to 0.

  6. #6
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by archigamer
    Well for example a strongly typed language vs a loosely typed language. In a loosely typed language (php) the language converts (automatically) the type of a variable to what is needed based on the context you use the variable. In a strongly typed language (.NET, Java) you have to explictly (do it yourself) convert the variable to the type needed.
    So .NET as a framework is going to change over 10 years of Visual Basic programming? Last I looked Visual Basic was a loosely typed programming languags.

    Maybe some languages used in .NET such as C# and MSVC are strongly typed whereas others aren't... Let's not forget that .NET is not a programming language but a framework which can be utilized by any programming language. If it is anything like its predecessor (ASP), then it can be used in PHP and Perl even (both loosely typed languages).
    Wayne Luke
    ------------


  7. #7
    ********* Wizard silver trophy Cam's Avatar
    Join Date
    Aug 2002
    Location
    Burpengary, Australia
    Posts
    4,495
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Off Topic:


    VB6 is strongly typed isn't it? Correct me if I'm wrong, when I used VB6, I really had no clue.

    Code:
     Dim strString As String ' creating a string variable
     Dim varVariant As Variant ' that is almost loosely typed

  8. #8
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Nope... you can remove the as String and as Variant parts and just create variables and VB6 is loosely typed.

    Heck, you don't even have to declare variables before you use them in Visual Basic. Though you can use the option explicit keywords to force variable declaration in your program.
    Wayne Luke
    ------------


  9. #9
    ********* Wizard silver trophy Cam's Avatar
    Join Date
    Aug 2002
    Location
    Burpengary, Australia
    Posts
    4,495
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Ahh, okay. You learn something new everyday

  10. #10
    .NET inside archigamer's Avatar
    Join Date
    Jan 2002
    Location
    Strongsville OH
    Posts
    1,534
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    in VB .NET you do have declare variables, and you do have to declare their types. Sorry guys.

    As for PHP, TBH I have never seen any PHP programmer actually check types. Yes its available, but i havent seen it used in real world php
    Web Finesse Studios
    Professional, business oriented web hosting and development.

  11. #11
    SitePoint Wizard bronze trophy
    Join Date
    Apr 2003
    Posts
    4,095
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Post Languages

    As others have said, a language is only as secure as it is coded to be. Arguably, the more "features" (functions, libraries, classes, et cetera) a language has, the less secure it is, and the less functional it is. Additionally, languages that have been coded by many separate programmers with different styles is more prone toward security holes, since there's a higher potential for "chinks."

    Whether a language is strongly or loosely typed is also a consideration. On the whole, strongly typed languages tend to be more secure, since a variable will only accept a given type of data. There are, of course, the odd pseudo-language, like Visual Basic, that can be either strongly or loosely typed.

    Naturally, the OS also comes into consideration. But that's a whole other discussion, and I'd rather not start a flame war.

  12. #12
    ☆★☆★ silver trophy vgarcia's Avatar
    Join Date
    Jan 2002
    Location
    in transition
    Posts
    21,236
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by archigamer
    As for PHP, TBH I have never seen any PHP programmer actually check types. Yes its available, but i havent seen it used in real world php
    That's the fault of the programmer then, not so much PHP. ASP suffers from the same problem. Honestly, it's not too difficult to implement regular expression-based validation in either language (which is what I do for both ASP and PHP).

  13. #13
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Expanding on what Vinnie just said...

    Personally I wouldn't necessarily check for type in PHP and no apologies! I think it makes a lot more sense to directly check for validity.

    For example, why check that an email address is a string when it matches a regular expression that verifies that it is an email address (and by extension a string)?

    In this scenario: myPage.php?id=1
    ... why check to see if "1" is an integer when you can just about as easily see if 1 is a valid id? Casting to integer presents the risk of casting an injection to zero and then doing some undesired stuff with that zero (which is a valid integer). Checking to ensure that whatever is valid also gives you the chance to produce a decent error message, rather than some technical language spat error that might even give an attacker some idea of how your application works.

    You definitely should know about and be prepared for the possibility of SQL injection, but type is not enough. The basic premiss is that if someone can inject their way into destroying info or gaining access to privileged data then your queries are allowing too much from their user entered portion. Slap some more WHERE on that clause!

    SELECT articleText FROM articles, privs WHERE articles.ID=privs.ID AND privs.user='joeBrowser' AND articles.ID=[USER ENTERED]

    Alter the user entered portion all you like, the privileges will stop you from getting anywhere you aren't allowed. (hope that query is clear and correct, it was off the top of my head)

    Anyway, point is, checking by type alone is weak, just about any user input can benefit from some stronger validity checking. PHP and .Net have some great ways to do this as do most other languages.
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  14. #14
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    While I agree with you that strong typing offers little in the way of real security, but you are wrong about the ID thingy - strong typing helps in that case.

    In this scenario: myPage.php?id=1
    ... why check to see if "1" is an integer when you can just about as easily see if 1 is a valid id?
    Because you have to do a query to the database with that "1" in it at some point. With a PHP, you most certainly have to check that that "1" is indeed an integer before letting it into your database. With strong typing, this extra step is not necessary.

    Bottom line, while strong typing helps security only little, it does have some benefits.

    I agree that an application is only as secure as the programmer makes it to be, but out of the box, .NET is definetly more secure out of the box than PHP is.

    1. Register Globals
    When you post from a form in PHP, the variables become availiable as normal variables, posing a great security risk. The first thing the more experienced PHP developer does is to disable this in his script (as it is never disabled on shared servers, to support legacy apps). Unfortunately, because PHP is so easy to pick up, a lot of developers happens to be not-so experienced, and make these simple (but fatal) mistakes very often.

    2. .NET does not allow "dangerous" data like HTML to be posted to a page unless you spcifically allow it. Simple thing, but stops a lot of security problems.

    Now, with that said, a more experienced developer can easily fix these problems. Most security problems are actually very easy to fix - it's discovering them that is the hard part.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  15. #15
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    PHP doesn't ship with Register Globals capability on anymore. You must explicitly turn this on and the recommendation is to turn it off.
    Wayne Luke
    ------------


  16. #16
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by M. Johansson
    Because you have to do a query to the database with that "1" in it at some point.
    I do agree with this but I also think that a properly formatted query can accept a wide range of input. However, I suppose that you may as well know that your user input that you expect to be an integer is an integer, one way or another so I guess I agree with you that far.

    You are correct that PHP does not railroad you into using htmlspecialchars as .Net apparently does (with some .Net form of htmlspecialchars). But I'm sure you know htmlspecialchars is there and so do most people who will make anything of consequence with PHP.

    And yeah, what's up with mentioning register globals? That's like a 2-3 years ago problem... plus, I think that Microsoft has had some dirty laundry in the time period too (like the passport.Net leak, maybe?).
    Last edited by samsm; Dec 1, 2003 at 02:38.
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  17. #17
    .NET inside archigamer's Avatar
    Join Date
    Jan 2002
    Location
    Strongsville OH
    Posts
    1,534
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I do agree with this but I also think that a properly formatted query can accept a wide range of input.
    so how would you properly format a query like this?
    select * from customer where customer_id = $_GET['id']

    I personally cannot think of anyway that you could format that to accept anything but an integer.
    Web Finesse Studios
    Professional, business oriented web hosting and development.

  18. #18
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    [QUOTE=samsm]I do agree with this but I also think that a properly formatted query can accept a wide range of input. However, I suppose that you may as well know that your user input that you expect to be an integer is an integer, one way or another so I guess I agree with you that far.

    You are correct that PHP does not railroad you into using htmlspecialchars as .Net apparently does (with some .Net form of htmlspecialchars). But I'm sure you know htmlspecialchars is there and so do most people who will make anything of consequence with PHP.
    No, .NET doesn't railroad you into using any equvalient of htmlspecialchars(). What it does is to simply disallow posting of pure HTML data wihout you specifically setting that page to allow it (by a statement in the top of the page). After that, it allows you to post pure HTML data just fine. It's a small thing, but very convinient, and prevents a lot of leaks.

    And yeah, what's up with mentioning register globals? That's like a 2-3 years ago problem...
    No it's not - many hosts leave it on per default.

    plus, I think that Microsoft has had some dirty laundry in the time period too (like the passport.Net leak, maybe?).
    I'm not sure what this has to do with anything. Passport has very, very little to do with the .NET framework.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  19. #19
    ☆★☆★ silver trophy vgarcia's Avatar
    Join Date
    Jan 2002
    Location
    in transition
    Posts
    21,236
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by archigamer
    so how would you properly format a query like this?
    select * from customer where customer_id = $_GET['id']

    I personally cannot think of anyway that you could format that to accept anything but an integer.
    PHP Code:
    //get the ID from the querystring
    $id $_GET['id'];
    //match against a regular expression before using $id
    $valpr preg_match('^[0-9]{1,4}$'$id);
    if (
    $valpr) {
      
    $sql 'SELECT * FROM product WHERE id='.$id;
    } else {
      die(
    'You tried to hack my site you little script kiddie');

    I'd probably do more to validate the input, but here you at least ensure that $id matches a certain format (integer 1-4 numbers long).

  20. #20
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by archigamer
    select * from customer where customer_id = $_GET['id']
    Ok. First of all, this is insane:
    SELECT * FROM customer WHERE customer_ID=$_GET_ID['ID'];
    You could enter integers at random via get requests and get any of a variety of customer IDs. Obvious security problem and not one directly linked to type checking.

    Obviously, you need to be a step more intricate.
    SELECT #* FROM customer WHERE customerID=loginID AND loginID = loginTable.loginID AND loginTable.password=" . addslashes($_SESSION['pass']) . ";

    How, i ask you, how do you beat that? Throw type checking aside, that is not going to help you. You can't get to that data without the correct password, regardless of what type that password was or what ever other crap you've attempted to throw at the application in question. It's impossible. You're shut out.

    Quote Originally Posted by M. Johansson
    No it's [(register globals)] not - many hosts leave it on per default.
    Fair enough. Are some MSSQL hosts still vulnerable to slammer? Seriously, I'm going out on a limb and guessing that for every old security problem uncorrected in LAMP hosts, there is a problem uncorrected in IIS hosts.

    Quote Originally Posted by M. Johansson
    I'm not sure what this has to do with anything. Passport has very, very little to do with the .NET framework.
    It has everything to do with the framework. The whole concept of the framework is that one element relies upon another and you can rely upon each element to preform its function. Without that reliance, you might as well write the whole thing yourself. If you rely upon passport to manage your user log-ins (as Microsoft promotes) and passport is vulnerable, then your whole system is vulnerable. edit: decided to remove the REALLY idiotic part of this paragraph

    Look, I'm really not out to demonize .Net, I think it's fine. But please, PHP has issues, .Net has issues, everything else has issues too. There's no real security bias to speak of in the major players that can be resolved with a two to eight hour chat. We're talking about no major benefit in comparison to drawbacks and there really aren't any. Sure mention type checking, that's fine, but I don't know how a PHP developer could possibly develop anything of consequence without knowing about those issues in this day and age.
    Last edited by samsm; Dec 2, 2003 at 09:53.
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  21. #21
    .NET inside archigamer's Avatar
    Join Date
    Jan 2002
    Location
    Strongsville OH
    Posts
    1,534
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can't get to that data without the correct password, regardless of what type that password was or what ever other crap you've attempted to throw at the application in question.
    if you are on a part of the site you dont log in to or your site does not have membership, your back to square one. While I agree that is more secure before, my original point was not taking logging in into account.
    Web Finesse Studios
    Professional, business oriented web hosting and development.

  22. #22
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, in a query like:
    SELECT * FROM whatever WHERE [USER ENTERED]

    In this, you are exposing "whatever" to unrestricted selects. In the articleID=whatever scenario, that's probably not a big deal, assuming all the articles in "whatever" are fit to be seen.

    However, try as you may, there is nothing you can tack on the query above to access data from other tables or alter data in any table. That is, assuming that you are accessing the database with a function like mysql_query which only allows one query at a time (so tagging a second, destructive query on the end is out).
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  23. #23
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Fair enough. Are some MSSQL hosts still vulnerable to slammer? Seriously, I'm going out on a limb and guessing that for every old security problem uncorrected in LAMP hosts, there is a problem uncorrected in IIS hosts.
    You are talking about it as something that can be fixed with a patch or something - it's not. The hosts that enable register globals are not bad hosts - they have to do that by default to support legacy applications. I do not know of a security problem of this nature or magnitude for .NET, but I'd love for anyone to prove me wrong. I won't comment on IIS or MSSQL vulnerabilities on hosts, as that would just be complete speculation - suffice to say that bad hosts will be bad hosts, and good hosts will be patched.

    It has everything to do with the framework. The whole concept of the framework is that one element relies upon another and you can rely upon each element to preform its function. Without that reliance, you might as well write the whole thing yourself. If you rely upon passport to manage your user log-ins (as Microsoft promotes) and passport is vulnerable, then your whole system is vulnerable. edit: decided to remove the REALLY idiotic part of this paragraph
    No, Passport has incredibly little to do with .NET. Very, very few .NET sites use Passport. Passport is a web service provided by Microsoft for the fee of US$10 000 per year. It's only meant for very large applications, and Microsoft does not actively market it to the average site.

    Look, I'm really not out to demonize .Net, I think it's fine. But please, PHP has issues, .Net has issues, everything else has issues too.
    Of course. I was merely adressing the original question if one web programming language was more secure than the other by pointing out that .NET is more secure out of the box, which is true. They are not major, and can easily be worked around by a reasonably experienced developer, but they were relevant to the question of the thread starter.

    Sure mention type checking, that's fine, but I don't know how a PHP developer could possibly develop anything of consequence without knowing about those issues in this day and age.
    I probably shouldn't say this, but I had developed several PHP sites for clients before I ever heard the term SQL Injection Attack or the register globals problem. You learn how to develop sites with PHP very fast. You also learn how to secure your web sites very fast - just not quite as fast.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  24. #24
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You know what? I was going to use the fact that most PHP posters here are on hosts with register globals off, but I'm typing a response for another thread right now where someone has clearly written an application with register globals on. So perhaps register globals isn't as dead as I thought.

    Actually, you are probably right about .Net being used more securely, too. In addition to whatever is in the framework itself, the very fact that it is more difficult makes the people who use it a different caliber which means it is more likely to be used securely.
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  25. #25
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by samsm
    Actually, you are probably right about .Net being used more securely, too. In addition to whatever is in the framework itself, the very fact that it is more difficult makes the people who use it a different caliber which means it is more likely to be used securely.
    You know, one guy I talked to a while back had a theory that since Windows has so many security issues, that breeds a high quality on the security practices of Windows Hosts. I'm not sure if that's correct or not, but CrystalTech handled the Slammer worm DAMN well.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •