"ASP is more secure than PHP"

“ASP is more secure than PHP” what are your thoughts?

ro0bear :smiley:

You can’t really ask that… it will always depend on the coder. PHP is always associated with security issues because it’s accessibility to newer, more novice “coders.” A PHP application done right can be as secure as any ASP.NET application.

Thats what I suspected, but knowing only PHP, I wanted to check, as somone I was speaking to was adimant that ASP.NET was more secure.

I’ve delt with this before myself and it’s normally asp coders that are un accepting of any other type of coding. It all depends on the coder like was mentioned.

It all depends on the program that is written using either language. Neither language is any more or less insecure than the other if the coding is done properly.

^^^That is the big if. It is definitely much easier to create a PHP app with glaring security holes than to create an ASP.NET app with glaring security holes. That said, you can shoot yourself in the foot with either language easily enough.

What about a PHP.NET app? How would that compare with regard to the ease of creating security holes?

Never really worked with it, so I can’t say for certain. I would guess that you are probably halfway in between. You will still pick up alot of the underlying security features from the way .NET handles Http and you will be working in a type-save CLR environmnent, but you can still have lots of the top-of-the-stack issues PHP is famous for if you don’t follow good coding practices otherwise.

Side Note: what is the fetish with PHP.NET? I can’t think of anyone using it in production these days . . .

The fact that PHP.NET exists demonstrates that PHP and .NET are two totally different things and comparing them is meaningless.

What you would need to do is to compare vb.net, jscript.net, c++.net, php.net etc

or compare all the same languages running in a different environment.

Neither of those layers is the one where all the security issues occur either - they all happen at the application program level and the security or otherwise of the programs is relative to the experience of the people writing the programs. If you have experienced programmers writing the programs then there will be minimal security issues regardless of the language.

The least secure languages are therefore the ones that the newbies choose to use BECAUSE they are chosen to be used by newbies rather than because the languages themselves are insecure.

Most of the responsibility of maintaining secure applications belongs to the coder. You can write bad code in any language.

Be that as it may, some languages seem to be more conducive to having security holes, based on the kind of features available to them and whatever the standard coding practices are. Take for example features such as register_globals and allow_url_fopen in PHP - they don’t automatically create security holes but if you are not extremely careful you can leave the application wide open. Features such as this should be phased out because they make it entirely too easy to make a mistake. Fortunately, they were removed.