PHP as a security risk

[purplehaze357]

Im in the process of re-designing my school districts webpage. I am the webmaster for the school district and we have discussed changing to php. Our web host (who also host our robotics website) says that it is a security risk and doesnt know if he'll allow it. Can someone inform me on what he is talking about?

Brandon what are your feelings you seem to have a lot of experience with this?

www.udsd.k12.pa.us

thats the site now...

http://ud.akwire.net

is what we're workin on at this time.

thank you in advance

[apk]

May I ask what web server and OS is being run?

[Brandon Martus]

Quote:

Originally posted by purplehaze357

Brandon what are your feelings you seem to have a lot of experience with this?
[/color]

PHP's info about security

They mention: A completely secure system is a virtual impossibility, so an approach often used in the security profession is one of balancing risk and usability.

No matter what OS and/or configuration you are running, as long as you keep up to date with security patches & new releases, you should be fine. We use linux+php at work and deal with alot of highly sensitive data. If you configure it correctly and know how to manitain it, there shouldn't be any security problems running php.

[Rickertsen2]

If properly implemented and kept up to date, the security risks are minimal. Many large scale websites use PHP and do not have any problems.

[purplehaze357]

hah..thank you brandon....i told them this and they said its a security risk blah blah blah...and i knew right where to come for proof...booh yaah

[Brandon Martus]

Show them this:

http://news.com.com/2100-1023-963937.html?tag=lh

and ask them if a large company such as Yahoo would drop their own 100% custom scripting language to use something that is insecure..

[purplehaze357]

thank you...i just sent him an email containg the information and the links that you gave me.

Brandon would you mind, if he needs to talk to someone that has experience running a php server, if i put him in contact with you?

[Brandon Martus]

Quote:

Originally posted by purplehaze357
thank you...i just sent him an email containg the information and the links that you gave me.

Brandon would you mind, if he needs to talk to someone that has experience running a php server, if i put him in contact with you?

Sure.. I don't know how much help I can be, but I'll try

[Rickertsen2]

Quote:

Originally posted by Brandon Martus
Show them this:

http://news.com.com/2100-1023-963937.html?tag=lh

and ask them if a large company such as Yahoo would drop their own 100% custom scripting language to use something that is insecure..

I thought that Yahoo used PHP but I Wasn't 100% so i didn't say anything. Now I know for sure. Thanks, Brandon.

[Joe Ross]

Does this webhost allow other scripting languages, perl, asp, etc?

Any scripting language can be used to create insecure scripts that can be exploited. This is the nature of (any) language. If they don't allow any scripting languages for security reasons, they shouldn't allow php either. However, I have no reason to beleive that PHP is less secure by default then other languages (if not more secure).