WarDemon666
Platinum Member
I was wondering how secure this is. If someone was to install PHP to their server, would there be a greater security risk? (knowing ASP and CGI are enabed)
Thanks!
Thanks!
-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
Is PHP secure?
- Thread starter WarDemon666
- Start date
WarDemon666
Platinum Member
The system is a free web hosting service, any user can sign up for free.... So your advice would be not to install PHP? And is there a risk with ASP and CGI already installed?
<< The system is a free web hosting service, any user can sign up for free.... So your advice would be not to install PHP? And is there a risk with ASP and CGI already installed? >>
For free deals like that the best bet is to not install any of that. Or atleast make sure the permissions are good. If the user doesnt have permissions to touch a certain part you have less to worry about. Is this UNIX-like OS or Windows? And all ASP/CGI things have similar problems.
WarDemon666
Platinum Member
The OS is Windows 2k Server. The users are pretty secure.
<< The OS is Windows 2k Server. The users are pretty secure. >>
You know, it sounds to me like you're fishing for flames.
It's common knowledge that ASP and CGI aren't inherently secure. You state that you already have them running and are asking about the security of PHP. I get the impression that you are baiting the Linux junkies to blather on about how incredibly great PHP is compared to ASP or even CGI.
You go on to say, "The OS is Windows 2k Server. The users are pretty secure." This comes off as even more flame-bait. You didn't get a rise out of the PHP thing, so you go on to mention Win2K. It's common knowledge that Win2K has a new security bulletin issued each week or so to close holes.
So how was that? Did I jump through the hoops by denegrating ASP and Win2K?
If you're question was genuine, which I obviously doubt, then the answer is: What the hell, install it. It can't make your system any less secure than it already is with ASP and CGI support running on Win2K server (presumably running IIS), and it will give your users another language option.
RedRooster
Diamond Member
PHP is server side scripting, hence it's pretty darn secure. I've been using it for the past three years, and really like it.
<< PHP is server side scripting, hence it's pretty darn secure. I've been using it for the past three years, and really like it. >>
Doesn't matter that it's server-side. I can write server-side scripts to let visitors to a site "touch metal" on the server. I can write scripts with holes that let the server act as a spam relay. I can write forum software similar to what Anandtech uses but that will let people post code that will hijack visitors' browsers. Those are all examples of bad coding (and I've been guilty of some of them.) Being server side doesn't make a script more or less secure, good coding does.
RedRooster
Diamond Member
<<
<< PHP is server side scripting, hence it's pretty darn secure. I've been using it for the past three years, and really like it. >>
Doesn't matter that it's server-side. I can write server-side scripts to let visitors to a site "touch metal" on the server. I can write scripts with holes that let the server act as a spam relay. I can write forum software similar to what Anandtech uses but that will let people post code that will hijack visitors' browsers. Those are all examples of bad coding (and I've been guilty of some of them.) Being server side doesn't make a script more or less secure, good coding does. >>
I assumed that "good coding" was a pre-requisite for creating a database driven site. 😉
Of course with badly written code anything can happen, but if you write it properly, there really isn't anyway easy that someone can come along and hack your site or do anything malicious with server side scripting. Or, at least it's more difficult.
Wardemon666, was asking the question for both of us. We had never heard of PHP before. Now I've been reading a bit about it and it seems like the script to use. I'm resetting up a completely new server using win2k/exchange 2k. I plan to completely change the scripts and make this new server as secure as I can.
Win2k, Linux? Which to use? I've been using win2k for the ease of use and the remote administration such as terminal server.
Now you guys seem to be saying that Win2k is unsecure. Anandtech uses win2k, and he seems pretty secure. I don't want to flame-bait anything, and I'm not because I know nothing about linux and it's security so I can't judge it.
What advantages would I have from switching to Linux? What disadvantages?
Hope you understand this confussing message, and I don't know why wardemon666 posted it in off topic, but since the theard is already started lets just continue here.
Thanks for everyone that takes the time to read.
Win2k, Linux? Which to use? I've been using win2k for the ease of use and the remote administration such as terminal server.
Now you guys seem to be saying that Win2k is unsecure. Anandtech uses win2k, and he seems pretty secure. I don't want to flame-bait anything, and I'm not because I know nothing about linux and it's security so I can't judge it.
What advantages would I have from switching to Linux? What disadvantages?
Hope you understand this confussing message, and I don't know why wardemon666 posted it in off topic, but since the theard is already started lets just continue here.
Thanks for everyone that takes the time to read.
<< Now you guys seem to be saying that Win2k is unsecure. Anandtech uses win2k, and he seems pretty secure. I don't want to flame-bait anything, and I'm not because I know nothing about linux and it's security so I can't judge it. >>
Like any OS, Win2K is made secure by which services/daemons are running. With Windows it's harder to verify the security of various services because it's a proprietary platform. Generally holes are only plugged after they've been compromised. Now you can make Win2K pretty tight just by disabling all the MS web services such as IIS, and Exchange. That's what we've done and that appears to be what Anandtech has done. Anandtech uses Apache for their web server.
Adul
Elite Member
<< There is only one rule when setting up a web server, do NOT use IIS. The rest just depends on what you want to use.
If you must use IIS for asp support then have a seperate machine under that, for everything else use apache. >>
or you could run Chilisoft asp that runs ASP underr linux.
<<
<< or you could run Chilisoft asp that runs ASP underr linux. >>
yeah but I´v heard that it isnt exactly finished and doesnt support everything, right now, but they will, so screw iis 😉 >>
I don't think it will support everything, but we'll see. I'd be all for running chilisoft asp if it ran ASP as well as IIS. It's too bad for M$, I really like the way IIS works, but the security suxors.
<<
<<
<< or you could run Chilisoft asp that runs ASP underr linux. >>
yeah but I´v heard that it isnt exactly finished and doesnt support everything, right now, but they will, so screw iis 😉 >>
I don't think it will support everything, but we'll see. I'd be all for running chilisoft asp if it ran ASP as well as IIS. It's too bad for M$, I really like the way IIS works, but the security suxors. >>
Arent the security aspects a big part of how it "works". Its like saying I like how a car runs but too bad its missing a steering wheel.
also the last time I tried the php module for iis it didnt exactly work well, iis kept crashing, though it might be just because its iis. That was version 3. something, now they are up to 4.1.
Anyway, iis is very much like some guy described it. "IIS has alot of fetures, just to bad they are all enabled by default" 😉
Anyway, iis is very much like some guy described it. "IIS has alot of fetures, just to bad they are all enabled by default" 😉
<<
<<
<<
<< or you could run Chilisoft asp that runs ASP underr linux. >>
yeah but I´v heard that it isnt exactly finished and doesnt support everything, right now, but they will, so screw iis 😉 >>
I don't think it will support everything, but we'll see. I'd be all for running chilisoft asp if it ran ASP as well as IIS. It's too bad for M$, I really like the way IIS works, but the security suxors. >>
Arent the security aspects a big part of how it "works". Its like saying I like how a car runs but too bad its missing a steering wheel. >>
I was speaking of the functionality and support for ADO and other objects. You have a good ananlogy there, accept I'd say it was like driving a car with no air-bags and seat belts. Chances are you won't get into an accident, but if you do, you're screwed. The performance of IIS is perdy darn good, I just wish it was safer to use.
<< also the last time I tried the php module for iis it didnt exactly work well, iis kept crashing, though it might be just because its iis. That was version 3. something, now they are up to 4.1. Anyway, iis is very much like some guy described it. "IIS has alot of fetures, just to bad they are all enabled by default" 😉 >>
I'm running PHP 4.1 on my IIS box, runs fine and stable.
<<
<<
<<
<<
<< or you could run Chilisoft asp that runs ASP underr linux. >>
yeah but I´v heard that it isnt exactly finished and doesnt support everything, right now, but they will, so screw iis 😉 >>
I don't think it will support everything, but we'll see. I'd be all for running chilisoft asp if it ran ASP as well as IIS. It's too bad for M$, I really like the way IIS works, but the security suxors. >>
Arent the security aspects a big part of how it "works". Its like saying I like how a car runs but too bad its missing a steering wheel. >>
I was speaking of the functionality and support for ADO and other objects. You have a good ananlogy there, accept I'd say it was like driving a car with no air-bags and seat belts. Chances are you won't get into an accident, but if you do, you're screwed. The performance of IIS is perdy darn good, I just wish it was safer to use. >>
Put an unpatched box out on the internet. See how quickly it gets cracked. You can drive a car without a steering wheel. You will go in a straight line and *QUICKLY* hit something, much like an IIS server can be quickly cracked. Anyhow, I didnt want to start a debate about it, I want to use Zeus myself but I cant afford $1700 right now 😉
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
