ASP.net vs PHP - performance, future-proofing & ease of development

Question

I was asked yesterday by a client whether it was better for him to run his high-availability / throughput shopping site on ASP.net or PHP. He's ready to make a "Ten Year Decision," so he needs to know that the platform he picks will continue to be well supported and that developers will be available with the skills to work on it.

I've got to say I was stymied by this question; I work regularly with both platforms and I honestly couldn't make a judgement.

Here's my opinion:

ASP.net is a comprehensively well-supported and maintained platform, utilising a dynamic and powerful language. However it is continually being overhauled and updated; with every passing season a new technology or methodology is implemented (eg. AJAX, LINQ and MVC) and developers are constantly forced to play catchup. Stop using ASP.net for six months and it'll take another six months to learn all the new techniques that have come out. ASP.net is closely coupled with Microsoft's server platform though, so performance is optimised right down to the server level and it does present the opportunity of creating compiled components that could radically improve performance.

PHP is designed solely for one purpose; to run scripts on web servers. It is very stable and efficient and the language itself is easy to work with. It is open source so it is not driven by market imperatives and the overall structure of the language does not vary greatly from one point release to the next. As far as I know the only really major changes came between PHPs 4 & 5, with the introduction of better object support and the PDO database library. It is lightweight and compact and should scale easily.

In terms of future-proofing and developers, it's my opinion that PHP developers are easier to come by but that their skill sets vary considerably from one coder to another. ASP.net developers generally tend to cost more but they could well be more manageable and predictable. The platforms themselves will continue to evolve; ASP.net more rapidly and radically but it may reach a point of stability where it's largely complete and static. PHP is probably already at this point and changes to the language itself will be fairly minor over the next decade, mostly taking the form of security improvements and performance efficiencies.

So, I still have no idea what to recommend. I think each has their pros and cons. I don't really like asking such open questions as this but I really value the opinion of the Stack Overflow community and would like to hear what it has to say.

Answer 1

I don't know about ASP.NET, but for sure PHP has major security issues.

Because it's open source there are too many people just sitting and analysing code to find bugs (with success, like buffer overflow in add slashes).

Another issue with php are php developers. There are probably many experts out there, but out of those that I've came across (maybe around 100 or less) only few really knew what were they doing and why. Even the code that I've seen in php books has issues with security.(like you can do SQL Injection there or xss or sth. else)

Maybe ASP.NET has the same issues, but I'm not aware of them.

Answer 2

Try to put yourself in the shoes of a developer maintaining code written 10 years ago on both stacks. For PHP, you'd be looking at PHP 4.0, only one major version older and very similar. For Microsoft, you'd be using ASP classic 3.0, which is a far, far cry from the .NET 3.5 platform of today.

I would wager you'd be looking at a similar situation in the year 2020.

Answer 3

I'm a .Net developer and this answer might be a little subjective

ASP.NET Has a set of class libraries , Great(well almost) tooling , there is also the support and ASP.NET code is compiled(some performance gain)

PHP is good to easy to use and free (All you need is a text editor and LAMP)

Both has been out for a while so there is plenty of resources out there if you encounter any problem. anyway i would really look for what your client need

one more thing in software development things change in months if not days so it is hard to make a 10 years plan

Answer 4

PHP will most likely not change as much as ASP.NET and the other technologies connected with it in the coming decades.

Generally, PHP has a larger community than ASP.NET and is also used or available almost everywhere today. That also means that there are probably more resources, libraries, frameworks, etc. you can choose from. I don't know if that really counts for your client, though.

Answer 5

Well, having spent 100% of my professional career divided between the two technologies I have to say that it is an almost impossible choice.

Both are proven web-technologies that have been around for a long time. I guess my choice would be based on the availability of trained and qualified personnel.

Personally I think that ASP.NET's greatest fault is the fact that you loose control over the generated output and that ViewState can quickly get out of hand. However ASP.NET MVC seems to be alleviating that situation somewhat.

With PHP your code tends to get quickly out of hand, at least if you are not careful.

Personally I think I would prefer a scripted language over a compiled language for web work. I would suggest looking very carefully at Ruby On Rails.

ASP.Net - pros:

Backed by Microsoft. Visual Studio (though you need super computers for acceptable performance) Plenty of third party tools available, though mostly at high costs. C# is a good statically typed language (excluding generics). There is a MVC framework available.

ASP.Net - cons:

Microsoft platform needed for deployment. Vendor lock-in. ViewState is hard to manage and get right.

PHP Pros.

Duck typed language Large library of addons - mostly free Can be served from a unix platform

PHP Cons:

Object model is somewhat "exotic" Might be harder to find qualified programmers.

These are just my personal thoughts on the subject. You really have to look at your circumstances. Does your company have a lot of trained windows people to manage servers and the like, then I'd go with ASP.NET.

If you have linux/unix expertise then php or RoR becomes a no-brainer for me personally.

Good luck with your choice.

Answer 6

10 years is more a couple lifetimes for any web app, that's kind of unrealistic. But you can still find old HTX/IDC scripts and crusty VB CGI executables puttering along if you know where to look, so honestly either will probably be okay.

PHP might be more okay though - right now you can download & compile PHP 3 from here, set up Apache 1.3, and watch it spit out pages exactly like it did a decade ago. Finding commercial/third-party support for it will be painful, but still possible - everything you need to recreate a 10-year-old web server is all right there in plain view.

With a language & framework that are tied to a closed OS, which in turn is tied to security hotfixes that can't be ignored, you might have a harder time of it. IIS still handles "classic" ASP and .NET 1.0, but should MS decide to pull support for them 10 years from now because fundamental changes in .NET XIV require it, you might end up stuck between a possibly insecure server and praying you never lose the old install disks. (then again, there's also Mono)

Still, 10 year lifespan for a web app... that's a long time, things continue to change too fast to guarantee anything on the web will last that long, including the web itself.

Answer 7

The platform is way less important than the people working with it. I'm biased towards ASP.NEt personally, because I know the platform a lot better. But I also know that an improperly designed system WILL have to be trashed and rewritten at some point, simply because the code base has become a nightmare to maintain.

A well-designed system, based on proven patterns (MVC comes to mind, but an MVC application implemented by unskilled developers can be worse than a webforms app written by people who pay attention to proper design, code quality and maintainability).

From personal experience, I would state that ASP.Net, being part of the .Net platform, has more opportunities when it comes to writing solid, object-oriented code. In PHP, Object-Orientation seems to have been glued in as an afterthought.

But as I said, I'm obviously biased. I'm sure that well written systems in PHP can be equally maintainable (and survive 10 years).

Answer 8

I would choose my language not on raw numbers first, but on your functional requirements. If after analyzing your functional requirements you do not have a clear winner, consider the following points:

(Disclaimer: I develop in both PHP and ASP.NET on a regular basis)

Future-proof

None of both platforms will disappear soon. As for each major versions of each platforms, they might come with some changes that will break your code.

Performance

Performance wise, ASP.NET is faster than PHP (for those who needs numbers) because of the typing scheme and other languages choices (this is discussed in a SO Podcast but I can't seem to find the link). But you also need to consider that PHP is less costly to paralilize than ASP.NET. You do not need to purchase software licenses for each and every single server (unless you choose to use Mono for your ASP.NET).

Security

PHP has a bad reputation security-wise and I can understand why. There are a lot of students and hobbyists who started coding in PHP and have absolutely no idea of what code security means. Please remember that this affects their code, not yours. Also, if you choose PHP, be careful when choosing third-party documentation. A lot of them a written without any consideration for code security and their examples are riddled with security issues (especially the database section of such books).

There are equal opportunity to shoot yourself in the foot in ASP.NET than in PHP. There is nothing stopping me from writing the following code in ASP.NET:

// DON'T DO THIS
string statement = "SELECT * FROM Employees WHERE EmployeeName = '" 
                   + employeeName + "'";

SqlCommand command = new SqlCommand(statement, connection);
SqlDataReader reader = command.ExecuteReader();

as there is nothing stopping me from doing the same in PHP:

// DON'T DO THIS
$statement = "SELECT * FROM Employees WHERE EmployeeName = '"
             . $employeeName . "'";
$result = mysql_query($statement, $connection);

Yet we all know that we should never do anything as such in our code.

---

Whatever language you choose, follow these simple security rules. Those are applicable on all platforms.

• Use parametrized queries
  ADO.NET has built in support for them. If you are using PHP, drop php_mysql and use the php_mysqli extension instead (or even better, PHP Data Objects) which has support for parametrized queries.

• Never trust user input
  Never trust user input, even input that isn't meant to be changeable. Learn to expect unexpected values like \n in <input> fields or values which are not even part of your <select> and deal with them accordingly.

• Validate, validate, validate
  Always validate your data. If your data has been validated in a previous step, validate it again. User can't get to this page without logging-in? Validate his login information on page load. Ties in with the rule above.

• Escape, escape, escape
  Always escape your HTML output to prevent most XSS attacks. Even if that field is only supposed to carry a number. Creating a file based on user input? Escape and validate the file name. Passing to a CLI application? Escape your shell arguments.

• Follow best practices, not common practices
  And in PHP's case, best practices can be in total discord with common practices. Learn to differentiate between the two. Turn off magic_quotes, don't use addslashes() for security purposes, etc...

• Protect sensitive information
  Don't store plain-text passwords in the database. If you need the original value, encrypt. Most of the times you won't, so hash. Also, you really don't need to fetch that SSN value from the Employee table if you are displaying a directory of employees for phone purposes. Sensitive pages on your website should be protected being a login page.

Answer 9

I started writing this as a comment to BC's answer, but ran out of characters :-)

BC is right that ASP.Net has evolved, but that's more a plus than a disadvantage. Upgrading an ASP.Net application is generally rather straightforward: there are very little breaking changes between platform versions.

First, it's not fair to compare ASP with ASP.Net here. That would be the same as saying that it's hard to move to ruby on rails to php.

Between .Net versions, the compatibility level has always been really high, and the breaking changes are generally well documented. From experience, I can say that most applications written for .Net 1.1 will work 99.99 % sure without any modification to the code. Also, the tooling (Visual Studio) fully supports the upgrading process. Obviously, new versions bring new features (LINQ comes to mind), but those really are opt-in: you use them when you're ready and if there's any benefit in using it.

Answer 10

I'd like to chime in some things that has not come up in here. You mention "high-availability/throughput", so I take it that is important.

I agree that PHP itself is slower than most other languages when it comes to algorithms (cpu bound), but most sites are mostly I/O bound (file and/or database) anyway. So unless you are doing stuff that is cpu intesive (shopping cart is not...) you should not concert yourself with cpu bound performance issue as that is probably only a few percent of the whole request.

The LAMP platform really shines when you need load balancing with multible web servers and databases, file access, high availability and stuff like memcached.

Also, I think that you cannot really choose between ASP.NET and PHP. What you are choosing between is in fact ASP.NET and LAMP (P=php). That is more than just selecting a programming language, considering you will be using Linux instead of Windows, Apache instead of IIS, MySQL instead of MSSQL etc. That may be quite a step for some people.

So you really should spend some time looking at what kind of site it is and what the requirements are regarding availability and scalability and from that select one of the platforms.

Answer 11

As a former MCSE and now company owner, we've deployed Microsoft technologies for years.

Most companies we worked alongside starting using linux for webhosting so in the early 2000s, we deployed our linux server with PHP & MySQL. We hired a PHP, MySQL, JS coder to deliver our solution...since deployment, we've never had one single security problem or performance issue since.

From this situation, we've come to understand this. We hire coders based more on their solutions not primarily on their systems...A coder that understands potential security risks, the environment it will operate in and the needs of a client is more important than the whole this vs that argument. At the end of the day - a language is just a tool and software solutions are made by people for people.

In our situation, we employed a great coder who delivered a great solution - it just so happened that the PHP, Linux, MySQL solution worked really well, was secure as hell and stable...and to top it off, it was a lot cheaper short-term and long-term.

Times are tough for everyone now, and gone are the days of big I.T. budgets - Microsoft don't seem to understand this and are still intent on smacking us all over the head with massive software infrastructure and education bills.

All of our companies now look outside of the scope for solutions that deliver the same scale but that don't kill our budget.

So we say more power to open-source solutions.