January 12th, 2001, 05:35 PM
-
Hi,
We are about to sign a contract with an internet firm who's going to build our website. They have suggested to build the site in perl (using the fast cgi module on a dedicated apache webserver running mysql).
The security issue is very important because we are going to give away cash and product prices to our visitors.
I have been looking around the internet for articles and came across many articles suggesting that perl is less secure than php is.
I would very much appreciate any advice on either programming language or hints on how to make a solid decision on this matter.
Thank you very much in advance,
Maurits
January 16th, 2001, 04:06 PM
-
its true that perl is less secure that php,BUT this is only true if the programmer knows nothing about security.
While it might be the opposite if the PERL programmer is aware of security issues.
You can choose what you want as long as the firm you are going to make a contract with is trusted.
January 18th, 2001, 10:56 PM
-
That depends whether you are talking about internal or external.
Internal is other users on the system, like a webhosting which hosts for different people.
External, of course, the visitors.
If you are running a stand-alone web server where no other users can have direct (physical) or indirect access to it, then I would say, for the security point of view, Perl and PHP are the same.
On the other hand, if you are on a shared server, PHP is extremely insecure since php script often run as a module of Apache instead of a stand-alone CGI, or your scripts need to be world readable. As for Perl, your web server can configure cgi wrap or suexec, this way, nobody accept root and yourself and read it.
To put it simple, Perl is more secure than PHP if you also worry about internal users. It's the fact the PHP often has holes or bugs found at least once a month. If you choose PHP, you need to keep your version up-to-date. You said you will be using fast cgi module, that is also world readable, though.
January 18th, 2001, 11:37 PM
-
One problem with PHP
One thing I have notice is without the proper precautions using the PHP function show_source() is very insecure.
I had a fellow admin give me a regular user account on his server just to prove a point and I wrote this simple script.
<?php
if(!$QUERY_STRING) {
show_source("test.php");
} else {
show_source($QUERY_STRING);
}
?>
call /test.php?/path/to/file.conf
of course this simple example gives them only read access but there arew many more things you can do in PHP.
I'm not telling you to not use PHP. I really love PHP compared to perl. Just giving you a heads up on something to check for.
Zebbx