A friend of mine while working on a PHP application asked me to write one part of the application in Java. The part that involved transactions. He said it will be better to write this portion in Java. He talked about how secure it will be!
Though I was too busy to help him then, I want to know the essence of this idea. Why he was trying to use Java when he wrote the most part in PHP? Will it really boost up the security? And writing transactions in Java is only concerned with security?
The thing seems very interesting but I really have no idea, what it is! Please provide some insight into the topic.
Note: When I say transaction, it involves everything. From accessing account to transferring money.
9
Correctly utilizing a Language’s strong type system goes a long way towards reducing certain types of bugs – variants of the “provided the wrong argument to that method” bugs.
For example, think of the following function:
transfer_money(from_account, to_account, amount)
In an weakly-/untyped language, it’s easy to confuse the from_account and to_account parameters; It’s also common to use wrong units in amount (Dollars vs Cents, for example).
These errors would require rigorous testing to be found, or very thorough manual code-reviewing.
OTOH, an (extreme) use of types will result in this kind of method:
transfer_money(SourceAccount from_account,
TargetAccount to_account,
MoneyAmount amount)
The same kind of errors here will produce a compilation error, which makes them a lot less likely to actually reach production.
Now, this isn’t to say that Java is inherently safer than PHP; Nor that a similar system cannot be easily implemented in PHP; Nor that it’s actually common to use types in this fashion in Java; But it does give Java a tiny edge over PHP for critical paths of code. From a Safety Engineering POV, it makes Java “safer”.
1
I don’t think there’s any truth behind that idea. Two main things that would be different by using Java are the JVM and the code itself.
-
JVM. I’m not an expert in the details of jvm but there are PHP implementation for jvm (e.g. http://www.caucho.com/resin-3.1/doc/quercus.xtp). They promoted security as one of the feature but they only pointed out buggy php extensions, i.e. not flaw in PHP itself.
-
The code. If your friend can code secure transaction in Java, you should be able to re-implement it in PHP and it will have the same level of security (good or bad). It’s pretty straight forward to check that the two implementations have same behavior, although proofing them to be secure is a whole different story.
Especially within the transaction code scope, I don’t think there is proof that Java is inherently more secure than PHP.
One area coding in Java can be considered more secure is in the region of file storage.
With Java, a byte-code file can be stored where the program will be run. If a compiled Java file is found, it can only be run with a Java virtual machine, and not read or easily reverse engineered.
In PHP, a script file filled with readable text is what is stored. So if somehow the file was found, then the program could be read with a simple text editor like Notepad or Emacs.
What this means for security is that the inner workings of the program would be hidden if written in Java. And only in the event that someone had access to the program file. Normally, with PHP the program exists on a web server and is executed without visibility in a Web Browser. Your friend, however, probably wants to be extra careful.
2