Despite what sysadmin1138 says, there are relatively few security defects in either apache or PHP. However there are a huge number of advisories issued regarding applications developed using php. It's not that PHP is intrinsically flawed, the problems arise because:
1) PHP is very easy to get started with as a programming language - the barriers to entry are very low - so there is a huge range in the quality and abilities of people who describe themselves as PHP programmers
2) PHP provides low level access to the HTTP interface - and leaves it up to the developer to work out how to deal with stuff like CSS, CSRF, code injection, session fixation.....Compared with other development environments where this is supplied (but often by third parties).
If you have the latest updates of each, and make sure to follow those, the core programs should be fine.
The problem is, both the apache configuration and php (php to a very wide-open extent, since it's a full programming language) give you plenty of rope to hang yourself. They do very little by way of protection to keep you from configuring your system in an insecure way or writing (or just deploying) an application full of vulnerabilities.
So, the bottom line is: yes, if you keep them up to date, you can trust them, and focus on keeping your own configuration and php code secure.
Far from, actually. Both are very versatile environments, where configuration mistakes on the part of the installer can have significant effects on the security of data passing through the system. When systems like these get complex enough, it becomes less of an issue about code-quality and more an issue of correct configuration.
And still, both products regularly have security alerts posted against them requiring patches.
Also, both are frameworks upon which further application logic is overlain. That logic may have bugs and vulnerabilities that the frameworks it is built upon can't defend against.
Despite what sysadmin1138 says, there are relatively few security defects in either apache or PHP. However there are a huge number of advisories issued regarding applications developed using php. It's not that PHP is intrinsically flawed, the problems arise because:
1) PHP is very easy to get started with as a programming language - the barriers to entry are very low - so there is a huge range in the quality and abilities of people who describe themselves as PHP programmers
2) PHP provides low level access to the HTTP interface - and leaves it up to the developer to work out how to deal with stuff like CSS, CSRF, code injection, session fixation.....Compared with other development environments where this is supplied (but often by third parties).
If you have the latest updates of each, and make sure to follow those, the core programs should be fine.
The problem is, both the apache configuration and php (php to a very wide-open extent, since it's a full programming language) give you plenty of rope to hang yourself. They do very little by way of protection to keep you from configuring your system in an insecure way or writing (or just deploying) an application full of vulnerabilities.
So, the bottom line is: yes, if you keep them up to date, you can trust them, and focus on keeping your own configuration and php code secure.
Far from, actually. Both are very versatile environments, where configuration mistakes on the part of the installer can have significant effects on the security of data passing through the system. When systems like these get complex enough, it becomes less of an issue about code-quality and more an issue of correct configuration.
And still, both products regularly have security alerts posted against them requiring patches.
Also, both are frameworks upon which further application logic is overlain. That logic may have bugs and vulnerabilities that the frameworks it is built upon can't defend against.