I have a friend who is very skeptical about using PHP because of the open source environment -- among other things. He seems to feel that data and code is more secure with Microsoft ASP or something that isn't so "open source".
Can anyone give me reasons whay PHP is considered unsafe or less secure than other software?
Thanks
Mark
no,
but I can give you a list of why open source is much more secure than anything proprietary.
really it just boils down to this, any open source development is under intense scrutiny because the code is exposed to everyone to review, and voice their concerns over. Collaboration is the key componant to open source and that is why fixes are faster, most issues identified prior to the release and much more stability is maintained.
Im sure that there are some good articles/white papers out there on the benefits of open source as opposed to a closed environment. anyone?
How about looking at the track record?
PHP hasn't had major security issues for as long as I remember (I don't count the file-upload issues as very serious; and the engine=off problem was only a problem in very rare cases).
However, ASP has had several deadly vulnerabilities where the ASP source could be revealed by simply addning certain arguments to the GET-string...
About general data security:
Open source operating systems may be configured to be very safe. However, the system administrator does have to have some skills; that goes for most things in this World.
opensource means that there are tons of people that can not only find bugs but also check them personaly and fix them
results in more eyes viewing the code for bugs and faster fixes
fixes are available shortly after a security bugs has been found and not delayed and denied until service pack time
this also means that you have to check the proper sites to be uptodate
but php has been fairly save from major bugs from what i can tell, even thought php is used on so many sites (numbers growning at an amazing rate)
The fact that the source is available does not mean a single thing about how the product is going to run on your server.
After all, it's you who downloads the software directly from the creaters, and it's you who installs it.
Where is the difference between you buying a cd with software and installing it?
As the others have mentioned, open source is subject to a lot more critisisms than M$, because everybody can look at the PHP source and see what could be the problem. All you can say about M$ products is that they are full of bugs and security holes. You can't look at the source and tell the M$ boys where the problem is. Which means they have to work from bug-reports, and issue a service pack (when they think it's important enough), so you can spend a few hours downloading a xx Meg file that fixes one bug and creates many new ones :-)
This is turning into an anti-M$ post... lovely :-)