help me convince my boss on PHP

phpadvocate

Hi,

I have developed a slick admin for a part of our company web site. This is replacing an existing admin that is obscure and has a bad GUI which, due to the obscure language and setup, can't be edited by anyone in here but only by the company who developed it.

Someone in here has vetoed using PHP as they say it isn't a secure technology. Does anyone have any information as to security holes in PHP and any problems it can cause. Is it it any less secure than PERL or ASP? If there are security holes, how can I fill them?

Any help and advice on this is appreciated.

cyclops

what is the reason for 'Someone' to veto PHP as being insecure ?
like any other scripting-language security depends on the internal code

think of this (as an argument) :
you can install the most expensive lock on your door, but if you forget to lock it, it is as strong as the cheapest lock

martincrumlish

The person who vetoes PHP is way up the ladder from me and hasn't elaborated on these security issues but from what I can see my code is as tight as need be for the type of application.

What I was wondering was, are there any inherent security issues that would set PHP apart from ASP and other web dev technologies?

cyclops

check this page (if you didn't already)
http://www.php.net/manual/en/security.php

spstieng

I guess the level of security is how well the server is configured (php.ini file, apache whatever file etc). And if the server is behind firewalls and a coupple of routers.... well, I would assume the source code to be pretty secure.

Here's some threads on security issues.
http://www.phpbuilder.com/board/showthread.php?s=&postid=10372438#post10372438

http://www.phpbuilder.com/board/showthread.php?s=&threadid=10245425

And other reasons:
PHP is FREE! (contra asp and .net)
PHP has good technical support
Great comunity for help (like here)
It's a fast growing ad hoc standard
It's extremely easy to learn (unlike .net and asp)
and did I mention that it is FREE?

If upper management tells you it is insecure, ask them to elaborate on that. Can they document it? Because if they know it, they must have gotten the information from somewhere.

And if I'm not mistaken, even HIGHER management allways counts nickles and dimes. Just show them how much they will be saving.
e.g. asp.net with oracle vs PHP with MySql.