Security is mostly independent of the actual language. From time to time, there might be vulerabilities in the underlieing language interpreter, but I think it would be hard to make an objective comparison between Perl and PHP that way. In either case, the most common source of security problems by far will be in the code being executed, not the interpreter. That means your security will be almost entirely dependent on your programmers.

Note that in mod_perl, you have access to the underlieing Apache API, which mod_php does not provide. This increases the risk of bad code producing a security problem. However, this doesn't mean Perl/mod_perl is insecure; it only means that there is even more burden on your programmers to do a good job.

Agreed completely. Most programmers do not give a damn to security and most books do not stress (or even at least mention) it enough. :-(

<div mode="Oh well">We (Prague office of Monster Worldwide) are currently hiring and give the potential employees a test (in ASP or ASP.Net since that's what most of the development is done in :-(
A simple form to be validated and submited into a database. None of the ones using ASP ever escaped the data printed into <input type="text" name="..." value="HERE"> when redisplaying the form in case of a validation error, 80% of them insert the data into database by building an INSERT SQL statement containing the form data and none of those cared to escape the data.

And at the same time most of them have (according to their CVs) several years of experience with web programming :-(</div>

Jenda
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
   -- Rick Osborne

Edit by castaway: Closed small tag in signature

What offer the best security for all , Perl, PHP or ASP?

Languages don't generally offer security at all. Those that do are probably proprietary languages being sold by companies with imaginative but technically ignorant marketing departments that would print anything to increase revenues.

If you want security, you'll need a solid understanding of the issues, sound programming practices, and rigorous testing. Even after the program is written and deployed, the security of the system will depend on the skill of the administrators in configuring it securely. The language that the software is written in really doesn't matter much.

Still, some languages make it easier to write secure code by providing tools that assist in it. For instance, Perl provides a tainting mechanism (the -T switch) that, when used correctly, can help you to avoid accidentally using user supplied data in places where it could be unsafe to do so. PHP fails to provide such a mechanism and I don't think ASP has it either. (I know next to nothing about ASP though, so don't take my word for it.) Perl also provides the ops pragma and the Safe module to restrict access to opcodes in compiled code. The closest PHP comes to that is the ability to disable functions in the global configuration. (Note that disabling functions is a far cry from disabling opcodes and PHP builtins like "echo" cannot be disabled.)

None of this is to say that I think Perl is more secure than PHP. I do appreciate some of the tools it provides to help write secure programs though. The security of the whole system depends entirely on the developers of the software being run and the administrators configuring it.

-sauoq
"My two cents aren't worth a dime.";

Perl has a better security history than PHP as far as actual bugs in the interpreter, and also supports taint mode, which is invaluable in writing secure CGI scripts.

http://bugs.php.net/bugstats.php

Perl also has many bugs, but not as many security issues. Perl is older and more refined.