security of PHP

joon

What do you think of the security of PHP?

Someone said PHP is superior than ASP in security because it's source is widely opened.

I don't understand this.
If source is opened, I think, hackers can easily hack.

What do you think about this?

Mordecai

Well, there are some faults in the words you hear, but there is also truth behind them. There's no real way to tell if it is more secure than ASP, as they are two very different languages.

Open-source can mean two things: people will analyze and find security holes and spread them among themselves to do damage, or those who notice the bugs will submit them to the PHP staff. Since it seems people choose the latter of the two choices with PHP, the project is very secure.

matt_4013

Yeah, there are really two points that conflict with each other here. Due to the fact that it's open source, it DOES allow malicious users to look at the source and find any potential weaknesses. But then there's the opposite point, due to the fact that it's opened, it allows helpers to find and fix any potential security threats before they can be exploited by said hackers.

Personally I agree more with the second argument. I believe that there will almost always be potential security flaws in software, because it's VERY hard to think of every eventuality, but when you've got a hell of a lot of people working on it, and working on it for the betterment of the software and not because it's their job, I think you're more likely to find and fix these flaws before somebody can really exploit them that much, whereas a closed source commercial language like asp has a select team working on it, and more than likely just working for the money, rather than the love of it (this point is not based on fact, but mere assumption), and as such are not trying to create the "perfect" application, but are just trying to make it useable for everyone.

My 2 cents,
Matt

joon

Okay, now I understand what are points.

I believe the second point.