PHP Security Flaws? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 11 years ago.

Our team is developing a web app in the financial space using PHP. The big question that comes up first is always security related. What are the main security risks associated with PHP or scripted 开发者_如何学JAVAlanguages in general verus a more accepted (in the space) Java written app?

---

Programming languages are generally not inherently secure or insecure (barring any bugs/ exploits). The code written with them is however. Provided the code is securely written the PHP is fine.

---

The only difference I can think of with scripted languages is that in many of those, including PHP, you have eval with its associated risks. If you don't use it, I don't think there's a real difference regarding security.

The PHP engine itself might have some more leaks than Java, since a large part of the functions you use in PHP are written in C, while in Java most is written in Java itself.

And of course, as with any language, security largely depends on the programmer. XSS, CSRF, SQL injection, etc are a risk in any language, if you don't use the proper tools.

That said, I wouldn't recommend using PHP. While not a less secure platform than Java, it's certainly much easier to create bugs there through it's dynamic typing and other quirks, and they can be as killing to your app as security flaws.