Through research and current work, i find that php is more subject able to hackers or other intrusions, where as asp is not as high of a target. Am i correct?

it's not a matter of being "less" secure.

Simply a matter of there are far more applications written for PHP, often by young, novice and inexperienced programmers. Who are simply not aware of the security implications in some of their code.
Also, a great deal of PHP software is open source and written by a "committee" of programmers, so the code is readily available for download and can be examined for possible security flaws by any "cracker" or "script kiddie".
So any "holes" are soon found and exploited.

It is dependent on the person doing the programming. PHP happens to be a lot more forgiving and flexible and traditionally people tend to forget best practices and common sense when it comes to handling user input. A lot of the more season developers have been burned by bad implementation and are not as trusting of user input and and structure as a new programmer.

Since it's an easy language to learn, there is always a lot of new programmers who pickup PHP without understanding security in web applications.

Quote:

Originally Posted by iLLuSi0nS

Through research and current work, i find that php is more subject able to hackers or other intrusions, where as asp is not as high of a target. Am i correct?

No, your not correct.

Neither language is "more" or "less" secure. As Hirst pointed out, more errors and security holes tend to occur in PHP scripts because many of them are open source (and as such, are open to any idiot hacker who comes along). And as shaftian said, many PHP programmers tend to be novice programmers (since they're told how great it is by others, go into it without considering everything, and trip over themselves).

There's also a combination of the two ideas, whereby open source scripts are put together by novice programmers. They learn the hard way.

I have to agree. PHP isn't inherently insecure, but you can definitely write insecure and sloppy code with php, asp, vb, perl or even c#. It's not so much the language as it is the programmer.

Agree with everyone, PHP is more widely spread, and also LOTS of that work (I can almost say ALL of PHP work except for those sites that use their own custom cms/php code they don't publish on the net, mostly social sites) is released source-open to the public... ofcourse when you have the code in front of you, finding a security hole is very easy

BUT... alltho the PHP code gets more exploited than ASP code, from my experience I think that ASP SERVERS get allot more attacked and breached... as some would say... "MS sh*t"

another thing is that feeling when you code in PHP and when you code in ASP... I think that allmost everyone felt the same way when they opened up ASP for the first time... you start a project and you get a folder full of files and stuff you wonder "wtf are these for" and when you open up PHP... all you do, you can do it in one single file that holds everything (not talking about BIG projects and CMSs)... gives you a better feeling

in my opinion... I'd rather try my best to make a less-vulnerable PHP app, than run a good app on a more-vulnerable server

Cheers

First, good job by thinking about security before beginning to code. If more people did that, you wouldn't be asking your question. I code in PHP only (server side langs). I have also taken a lot of time to research hacking methods to help ensure that my programs don't open holes on the server. I highly recommend that whichever language you use, that you first research common methods of hacking the language and security recommendations so that your code -- again, whichever language you use -- is as secure as possible.

That said, there are no unhackable programs/systems of any non-trivial degree of complexity. With enough time and resources, just about anything short of OTP encryption can be hacked. And, don't forget that it's generally-speaking far easier to social engineer than hack well-written codeand your only protection against that is well-trained users.

There seems to be this common perception that hacking open source code is easier than closed source. While in certain cases that may be true, I suggest that it's not true in general. Programs have been written which perform automated attacks against systems searching for the characteristics of security flaws so, so long as the flaw exists, it can usually be discovered. The advantage open source has is that educated users of the source will point out, and possibly correct, obvious flaws, so as the saying goes "2 heads are better than 1."