#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2000
    Posts
    0
    Rep Power
    0

    Unhappy


    Hi,

    We are about to sign a contract with an internet firm who's going to build our website. They have suggested to build the site in perl (using the fast cgi module on a dedicated apache webserver running mysql).

    The security issue is very important because we are going to give away cash and product prices to our visitors.

    I have been looking around the internet for articles and came across many articles suggesting that perl is less secure than php is.

    I would very much appreciate any advice on either programming language or hints on how to make a solid decision on this matter.

    Thank you very much in advance,

    Maurits


  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    0
    Rep Power
    0
    its true that perl is less secure that php,BUT this is only true if the programmer knows nothing about security.

    While it might be the opposite if the PERL programmer is aware of security issues.

    You can choose what you want as long as the firm you are going to make a contract with is trusted.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    That depends whether you are talking about internal or external.
    Internal is other users on the system, like a webhosting which hosts for different people.
    External, of course, the visitors.

    If you are running a stand-alone web server where no other users can have direct (physical) or indirect access to it, then I would say, for the security point of view, Perl and PHP are the same.

    On the other hand, if you are on a shared server, PHP is extremely insecure since php script often run as a module of Apache instead of a stand-alone CGI, or your scripts need to be world readable. As for Perl, your web server can configure cgi wrap or suexec, this way, nobody accept root and yourself and read it.

    To put it simple, Perl is more secure than PHP if you also worry about internal users. It's the fact the PHP often has holes or bugs found at least once a month. If you choose PHP, you need to keep your version up-to-date. You said you will be using fast cgi module, that is also world readable, though.
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Location
    Houston, TX
    Posts
    6
    Rep Power
    0

    One problem with PHP



    One thing I have notice is without the proper precautions using the PHP function show_source() is very insecure.

    I had a fellow admin give me a regular user account on his server just to prove a point and I wrote this simple script.

    <?php

    if(!$QUERY_STRING) {
    show_source("test.php");
    } else {
    show_source($QUERY_STRING);
    }

    ?>

    call /test.php?/path/to/file.conf


    of course this simple example gives them only read access but there arew many more things you can do in PHP.

    I'm not telling you to not use PHP. I really love PHP compared to perl. Just giving you a heads up on something to check for.

    Zebbx

IMN logo majestic logo threadwatch logo seochat tools logo