I'm in the process of having my personal photo site designed. While I have a good idea about the site's contents and looks, I have not given much thought about its security. From all the web design books I have read so far, I have yet to come across one that touches on security.
Yes, and that is an all too big problem; people who write books tend to live in their own technical little world, ignoring the others. There are exceptions, of course, but you'll find that a designer's view on web design differs from a programmer's view, and perhaps neither will give security a single thought.
If there is a source, please provide the reference.
A source for what?
For security problems in PHP, and software used with PHP?
http://secunia.com is one source of information, though a bit difficult to navigate.
And here's a link to a story on how frustrating it may be to work with PHP security from the inside:
http://www.heise-security.co.uk/news/82500As for web applications written in PHP (or other programming languages, for that matter), here's an excellent book for both novice and expert programmers; your web site designer should read this:
http://innocentcode.thathost.com/Caveat lector: I know the author, and helped with proofreading.
The main points of the book are listed on the website, in case reading the explanations and the reasoning behind the points is uninteresting.
Since I'm planning on using PHP, I would appreciate further comments on its security risk. If it is such a problem, why is it so widely used?
Why do people use Windows?
Why do people prefer Internet Explorer to Opera, Outlook or Outlook Express to Thunderbird etc., and so on?
In PHP's case, I believe the answer is that the PHP core was at the forefront of integration between HTML and live code, while providing a very convenient technical integration with the web's most popular web server, Apache. PHP was (and is) easy to install, and ubiquitous.
What are the alternatives?
Here are some of the most popular alternatives:
Java (java.sun.com)
Perl (perl.org), with or without
mod_perl (perl.apache.org)
Python (python.org), with or without
mod_python (modpython.org)
Ruby (ruby-lang.org), with
Ruby on Rails (rubyonrails.org), and maybe
mod_ruby (wiki.rubyonrails.com)
And if the webhost is running Windows, there's of course ASP.net, though that practically binds you to a Windows-based webhost.
Do you have some site examples that use these alternatives?
I'm not really collecting a list of sites using particular programming languages, but usually, those who promote the languages do. Here's a mixed list of both sites and such lists:
Java:
JavaServer Pages and Java Servlet Technologies (java.sun.com)
mod_perl:
http://slashdot.org/ (
more sites from perl.apache.org)
mod_python:
http://www.lawrence.com/Python success stories (pythonology.com, e.g. Rackspace.com converting from PHP to Python)
Ruby on Rails:
Some Big Websites that use Ruby on Rails (frecsscart.com)
But still; nothing beats plain HTML with images for speed; it's much easier for the web servers to handle.
Using a template-driven publishing system that generates plain HTML is both secure and performance friendly.