My Database teacher, claims that PHP is very insecure, and most businesses use ASP because it is much more secure. Looking online, it seems there is a lot of hits with people defending ASP by saying it is AS secure as PHP, which suggests many people think it is less secure than PHP.
Without getting into opinions a la Microsoft VS Open Source, from a factual point, can ASP and PHP be equally secure, or is there something about PHP that makes it inferior from a security standpoint?
Is my teacher passing his opinions/biases onto us students? Is PHP not secure enough for web apps or am I being deceived?
Your database teacher is comparing apples and oranges.
PHP is a programming language which specialized in creating web applications. (Though it can do other things.) PHP can run either in a CGI environment or as a built-in web server module. (mod_php with Apache.)
ASP is an interface specification for sending dynamic content to Microsoft’s IIS server. ASP pages can be written in VBScript or JScript, or most any other language. To that end, ASP is more similar to CGI than any particular programming language.
All that said, both PHP and ASP have a large number of security issues. Most can be eliminated by good programming and administration practices; some, such as the occasional buffer overflow, are problems with the products themselves that can be solved via software updates. PHP, being open-source, generally has a much faster release cycle for these kinds of critical problems, though (IMHO) the language and compiler design leaves something to be desired.
Perhaps you could challenge your teacher to specifically cite examples of the alleged insecurity of PHP vs the alleged superiority of ASP. After all, as a learning exercise you would think such examples would be beneficial to students trying to learn the correct way to do something rather than just tell them something is wrong without explanation.
It is possible to write a secure PHP application. The problem is that PHP doesn’t encourage you to write a secure application, and makes it quite easy to write an insecure application. For example, a lot of people construct SQL queries as follows:
“SELECT FROM users WHERE userid=” + $USERID
A lot of hacks have been added to the language to try and make this kind of thing secure(magic_quotes, mysql_escape_string, mysql_real_escape_string) when really, parameterized queries are the way to go. Now PHP does have parameterized queries, but you have to know about them to use them, and pretty much all tutorials don’t use them.
Coincidentally, March is the Month of PHP bugs. At least one new PHP security bug will be unveiled every day this month – and by today(March 2nd), they’re already up to 5 bugs.
I honestly can’t think of a reason why one would be more or less secure.
JSP and C based CGI applications, etc. at least have static typing, so there’s a better chance of catching run-time errors and buffer overflows. Neither ASP nor PHP do though, so I’d say that as far as a simple language (or platform in the case of ASP) can go in terms of security, there’s no real difference.
An interesting question for the instructor is whether he is talking about ASP or ASP.Net. If he’s not sure, or asserts that the two products security-worthiness is the same, he’s proven he doesn’t know what he’s talking about.