Monthly Archives: August 2006

Oracle’s view on PHP vs. ASP.NET

I was looking for something totally different, but came across this article on the Oracle Technology Network about the differences between PHP and ASP.NET. First of all I was sort of puzzled by the obvious pro-PHP stance taken by Oracle (at least in this article). I expect Oracle to be biased towards Java, which their product line supports, but as far as PHP and ASP.NET are concerned they’re just web technologies and both can use Oracle. As long as Oracle is used, what does Oracle care which of the two technologies is used? Secondly the pro-PHP bias I mentioned is very obvious if you look at the comparisons of speed and security. PHP faster than ASP.NET? I don’t think so… and most tests seem to agree with me. The argument Sean Hull uses is that ASP.NET is much bulkier when it comes to the actual code being executed. Maybe so, but the CLR compiles and optimizes that plenty. Then when it comes to security Sean Hull comments that ASP.NET runs on IIS, which according to him must be qualified as unsafe because of its history. He goes on to comment that Apache is much safer. I guess he forgot to check the latest stats on and The number of vulnerabilities in IIS6 found in its entire existence is 3 (or 5, depending on how you count), compared to the 32 (or 39) found in Apache 2.x during rougly the same period I would say IIS looks pretty good. Looking at the same timeframe (2003-2006) even IIS5 has had less vulnerabilities (14). 3+ years is quite a long time when it comes to the web, so history in that sense gives the edge to IIS, not Apache. Looking at the stats that is, the sentiment (or perception if you will) is still that IIS is (or could be) unsafe. I guess the time it takes to change someones perception is longer than 3+ years, so I guess Microsoft must battle perceptions that are nog longer justified.