I don't know much about PHP, but I was woundering how secure it is for tasks like holding user infromation and passwords, etc.

Can anyone offer shed some light here?

PHP is secure... to a point. It's completely invisible to the user when executed as a file on the web. But a determined hacker could probably get it, no matter what. But it's definitely better then JavaScript for password/username validation.

Example:

<?php echo "test"; ?>
would be outputted on the web as "test". Even if you hit view source, you'd only see the "test".

But a determined hacker could probably get it, no matter what.


Only if you either show them the source code, or they gain access to your server (which your php scripts are hosted on). Although, if you have any decent webhost, you shouldn't need to worry too much about this.

Hope this helps.

or they gain access to your server (which your php scripts are hosted on)

Bingo. Try typing in Index Of: /etc in google

Wow, that's a lot of sites. They either run their own server, or have crappy webhosts/ISPs, or both!

Bingo. Try typing in Index Of: /etc in google
Is there a way to check if my site is one of them?:confused:

yes, create a directory with some random files in it, none called index or something that will redirect the browser if you type in http://www.whatever.com/directory/

And if when you type that in it shows a list of all the files in the directory then they could get access to your php scripts.

On my webhost (streamline.net) it says cannot show directory contents.

I seem to be safe...

Index of: etc/ site:boxxer.mooo.com (http://www.google.ca/search?as_q=Index+of%3A+etc%2F&hl=en&client=firefox&rls=org.mozilla%3Aen-US%3Aunofficial&hs=Ggi&num=10&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=boxxer.mooo.com&as_rights=&safe=images)

PHP has a long history of security issues. It's widely considered rather insecure.

PHP flaws aside, though, it's as secure as you write it.

More secure than javascript. Heck, javascript doesn't even try to be secure.

Whitebeam (http://www.whitebeam.org/) is pretty secure, and that involves Javascript. I think you're confusing client-side and server-side code. Client-side code (in any language) is not meant to be secure, and it's daft to make comparisons between them. Thus, I was comparing PHP with other server-side languages, not with client-side code.

Client-side code (in any language) is not meant to be secure
So may I ask why people attempt to do username/password logins with JavaScript?

So may I ask why people attempt to do username/password logins with JavaScript?

It is either because they do not know how to use server-side languages (or if they even exist), or they want to use a quick and simple fix. People are unpredictable (spelling?)

As long as there is a page called index in the folders, searching for the content of that folder will only show what is on the index page.

Not necessarily, it depends on server config. "index.htm," "index.html," and "index.php" are just common defaults.

WOW!
lots of info. Thanks all.

So the question is now, is there any better alternitive?

So the question is now, is there any better alternitive?

For what purpose. As said before (I believe by Twey), code is only as secure as the coder makes it. (I know, not exact wording, but close enough).

Hope this helps.

PHP is the most used web programing language for interacting with databases (if not the only one) by far. For some things you can use javascript, but for a lot of stuff PHP is the only way to go, such as storing data in a database.

PHP is the most used web programing language for interacting with databases (if not the only one) by far. For some things you can use javascript, but for a lot of stuff PHP is the only way to go, such as storing data in a database.

That settles it then! I shall learn PHP. I have already started thanks to some google searches.

Thanks everyone!

For some things you can use javascript, but for a lot of stuff PHP is the only way to goPHP isn't the only server-side language, just the most common. Other languages and frameworks tend to make things easier, and don't have PHP's reputation for insecurity. Personally I enjoy working with Python and Django; I have a friend who speaks highly of Perl for web development; and of course, Ruby is becoming more popular now with the advent of the Rails framework. PHP is certainly worth learning just because of its popularity, but for your own site you shouldn't feel locked in.

If you make a script that allows someone to delete your entire site and crash your server... well... it's just doing it's job. It isn't "secure" I suppose, but that's beside the point.
There are certainly possible security flaws, but there are also ways to be sure it is secure.
<?php echo "test"; ?> as a page within itself would not present a security threat in any way. But... more complex code might, if there are holes or weaknesses.