Thursday, May 31, 2012

ASP.net vs PHP - performance, future-proofing & ease of development


I was asked yesterday by a client whether it was better for him to run his high-availability / throughput shopping site on ASP.net or PHP. He's ready to make a "Ten Year Decision," so he needs to know that the platform he picks will continue to be well supported and that developers will be available with the skills to work on it.



I've got to say I was stymied by this question; I work regularly with both platforms and I honestly couldn't make a judgement.



Here's my opinion:



ASP.net is a comprehensively well-supported and maintained platform, utilising a dynamic and powerful language. However it is continually being overhauled and updated; with every passing season a new technology or methodology is implemented (eg. AJAX, LINQ and MVC) and developers are constantly forced to play catchup. Stop using ASP.net for six months and it'll take another six months to learn all the new techniques that have come out. ASP.net is closely coupled with Microsoft's server platform though, so performance is optimised right down to the server level and it does present the opportunity of creating compiled components that could radically improve performance.



PHP is designed solely for one purpose; to run scripts on web servers. It is very stable and efficient and the language itself is easy to work with. It is open source so it is not driven by market imperatives and the overall structure of the language does not vary greatly from one point release to the next. As far as I know the only really major changes came between PHPs 4 & 5, with the introduction of better object support and the PDO database library. It is lightweight and compact and should scale easily.



In terms of future-proofing and developers, it's my opinion that PHP developers are easier to come by but that their skill sets vary considerably from one coder to another. ASP.net developers generally tend to cost more but they could well be more manageable and predictable. The platforms themselves will continue to evolve; ASP.net more rapidly and radically but it may reach a point of stability where it's largely complete and static. PHP is probably already at this point and changes to the language itself will be fairly minor over the next decade, mostly taking the form of security improvements and performance efficiencies.



So, I still have no idea what to recommend. I think each has their pros and cons. I don't really like asking such open questions as this but I really value the opinion of the Stack Overflow community and would like to hear what it has to say.


Source: Tips4all

15 comments:

  1. I would choose my language not on raw numbers first, but on your functional requirements. If after analyzing your functional requirements you do not have a clear winner, consider the following points:

    (Disclaimer: I develop in both PHP and ASP.NET on a regular basis)

    Future-proof

    None of both platforms will disappear soon. As for each major versions of each platforms, they might come with some changes that will break your code.

    Performance

    Performance wise, ASP.NET is faster than PHP (for those who needs numbers) because of the typing scheme and other languages choices (this is discussed in a SO Podcast but I can't seem to find the link). But you also need to consider that PHP is less costly to paralilize than ASP.NET. You do not need to purchase software licenses for each and every single server (unless you choose to use Mono for your ASP.NET).

    Security

    PHP has a bad reputation security-wise and I can understand why. There are a lot of students and hobbyists who started coding in PHP and have absolutely no idea of what code security means. Please remember that this affects their code, not yours. Also, if you choose PHP, be careful when choosing third-party documentation. A lot of them a written without any consideration for code security and their examples are riddled with security issues (especially the database section of such books).

    There are equal opportunity to shoot yourself in the foot in ASP.NET than in PHP. There is nothing stopping me from writing the following code in ASP.NET:

    // DON'T DO THIS
    string statement = "SELECT * FROM Employees WHERE EmployeeName = '"
    + employeeName + "'";

    SqlCommand command = new SqlCommand(statement, connection);
    SqlDataReader reader = command.ExecuteReader();


    as there is nothing stopping me from doing the same in PHP:

    // DON'T DO THIS
    $statement = "SELECT * FROM Employees WHERE EmployeeName = '"
    . $employeeName . "'";
    $result = mysql_query($statement, $connection);


    Yet we all know that we should never do anything as such in our code.



    Whatever language you choose, follow these simple security rules. Those are applicable on all platforms.


    Use parametrized queries
    ADO.NET has built in support for them. If you are using PHP, drop php_mysql and use the php_mysqli extension instead (or even better, PHP Data Objects) which has support for parametrized queries.
    Never trust user input
    Never trust user input, even input that isn't meant to be changeable. Learn to expect unexpected values like \n in <input> fields or values which are not even part of your <select> and deal with them accordingly.
    Validate, validate, validate
    Always validate your data. If your data has been validated in a previous step, validate it again. User can't get to this page without logging-in? Validate his login information on page load. Ties in with the rule above.
    Escape, escape, escape
    Always escape your HTML output to prevent most XSS attacks. Even if that field is only supposed to carry a number. Creating a file based on user input? Escape and validate the file name. Passing to a CLI application? Escape your shell arguments. Not using parametrized queries (rule 1)? At least escape any and all input.
    Follow best practices, not common practices
    And in PHP's case, best practices can be in total discord with common practices. Learn to differentiate between the two. Turn off magic_quotes, don't use addslashes() for security purposes, etc...
    Protect sensitive information
    Don't store plain-text passwords in the database. If you need the original value, encrypt. Most of the times you won't, so hash. Also, you really don't need to fetch that SSN value from the Employee table if you are displaying a directory of employees for phone purposes. Sensitive pages on your website should be protected behind a login page.

    ReplyDelete
  2. As a former MCSE and now company owner, we've deployed Microsoft technologies for years.

    Most companies we worked alongside starting using linux for webhosting so in the early 2000s, we deployed our linux server with PHP & MySQL. We hired a PHP, MySQL, JS coder to deliver our solution...since deployment, we've never had one single security problem or performance issue since.

    From this situation, we've come to understand this. We hire coders based more on their solutions not primarily on their systems...A coder that understands potential security risks, the environment it will operate in and the needs of a client is more important than the whole this vs that argument. At the end of the day - a language is just a tool and software solutions are made by people for people.

    In our situation, we employed a great coder who delivered a great solution - it just so happened that the PHP, Linux, MySQL solution worked really well, was secure as hell and stable...and to top it off, it was a lot cheaper short-term and long-term.

    Times are tough for everyone now, and gone are the days of big I.T. budgets - Microsoft don't seem to understand this and are still intent on smacking us all over the head with massive software infrastructure and education bills.

    All of our companies now look outside of the scope for solutions that deliver the same scale but that don't kill our budget.

    So we say more power to open-source solutions.

    ReplyDelete
  3. Well, having spent 100% of my professional career divided between the two technologies I have to say that it is an almost impossible choice.

    Both are proven web-technologies that have been around for a long time. I guess my choice would be based on the availability of trained and qualified personnel.

    Personally I think that ASP.NET's greatest fault is the fact that you loose control over the generated output and that ViewState can quickly get out of hand. However ASP.NET MVC seems to be alleviating that situation somewhat.

    With PHP your code tends to get quickly out of hand, at least if you are not careful.

    Personally I think I would prefer a scripted language over a compiled language for web work. I would suggest looking very carefully at Ruby On Rails.

    ASP.Net - pros:

    Backed by Microsoft.
    Visual Studio (though you need super computers for acceptable performance)
    Plenty of third party tools available, though mostly at high costs.
    C# is a good statically typed language (excluding generics).
    There is a MVC framework available.

    ASP.Net - cons:

    Microsoft platform needed for deployment.
    Vendor lock-in.
    ViewState is hard to manage and get right.

    PHP Pros.

    Duck typed language
    Large library of addons - mostly free
    Can be served from a unix platform

    PHP Cons:

    Object model is somewhat "exotic"
    Might be harder to find qualified programmers.

    These are just my personal thoughts on the subject. You really have to look at your circumstances. Does your company have a lot of trained windows people to manage servers and the like, then I'd go with ASP.NET.

    If you have linux/unix expertise then php or RoR becomes a no-brainer for me personally.

    Good luck with your choice.

    ReplyDelete
  4. Try to put yourself in the shoes of a developer maintaining code written 10 years ago on both stacks. For PHP, you'd be looking at PHP 4.0, only one major version older and very similar. For Microsoft, you'd be using ASP classic 3.0, which is a far, far cry from the .NET 3.5 platform of today.

    I would wager you'd be looking at a similar situation in the year 2020.

    ReplyDelete
  5. I know most of you are already aware of this, but it's worth pointing out again (in case someone is worried about getting run over by constant changes in MS technologies) that while it's true that Microsoft has consistently released new development technologies and frameworks, they can all run side-by-side. For example, I have many legacy ASP 3.0 web applications developed back in 1999-2000 time period running on the same server as my ASP.NET 3.5 applications. Additionally, thanks to ASP.NET supporting side-by-side execution, I also have ASP.NET 2.5 and ASP.NET 3.0 applications running on the very same server as well. In fact, many people still choose to use classic ASP 3.0/VBScript to this day. I am only mentioning this to lighten the concern that you have to KEEP up continuously. Just because new methodologies and technologies become available doesn't mean you're required to re-write/migrate your applications over.

    ReplyDelete
  6. I'm a .Net developer and this answer might be a little subjective

    ASP.NET Has a set of class libraries , Great(well almost) tooling , there is also the support and ASP.NET code is compiled(some performance gain)

    PHP is good to easy to use and free (All you need is a text editor and LAMP)

    Both has been out for a while so there is plenty of resources out there if you encounter any problem. anyway i would really look for what your client need

    one more thing in software development things change in months if not days so it is hard to make a 10 years plan

    ReplyDelete
  7. PHP will most likely not change as much as ASP.NET and the other technologies connected with it in the coming decades.

    Generally, PHP has a larger community than ASP.NET and is also used or available almost everywhere today. That also means that there are probably more resources, libraries, frameworks, etc. you can choose from. I don't know if that really counts for your client, though.

    ReplyDelete
  8. I'd like to chime in some things that has not come up in here. You mention "high-availability/throughput", so I take it that is important.

    I agree that PHP itself is slower than most other languages when it comes to algorithms (cpu bound), but most sites are mostly I/O bound (file and/or database) anyway. So unless you are doing stuff that is cpu intesive (shopping cart is not...) you should not concert yourself with cpu bound performance issue as that is probably only a few percent of the whole request.

    The LAMP platform really shines when you need load balancing with multible web servers and databases, file access, high availability and stuff like memcached.

    Also, I think that you cannot really choose between ASP.NET and PHP. What you are choosing between is in fact ASP.NET and LAMP (P=php). That is more than just selecting a programming language, considering you will be using Linux instead of Windows, Apache instead of IIS, MySQL instead of MSSQL etc. That may be quite a step for some people.

    So you really should spend some time looking at what kind of site it is and what the requirements are regarding availability and scalability and from that select one of the platforms.

    ReplyDelete
  9. The platform is way less important than the people working with it. I'm biased towards ASP.NEt personally, because I know the platform a lot better. But I also know that an improperly designed system WILL have to be trashed and rewritten at some point, simply because the code base has become a nightmare to maintain.

    A well-designed system, based on proven patterns (MVC comes to mind, but an MVC application implemented by unskilled developers can be worse than a webforms app written by people who pay attention to proper design, code quality and maintainability).

    From personal experience, I would state that ASP.Net, being part of the .Net platform, has more opportunities when it comes to writing solid, object-oriented code. In PHP, Object-Orientation seems to have been glued in as an afterthought.

    But as I said, I'm obviously biased. I'm sure that well written systems in PHP can be equally maintainable (and survive 10 years).

    ReplyDelete
  10. Here is a stat that I would like to share with all. Although it does not prove much still it can give some idea about the use of languages in some popular websites.

    Google.com - C, Java, C++, PHP & MySQL
    Facebook.com - PHP, MySQL and C++
    YouTube.com - C, Java and MySQL
    MSN.com - ASP.net
    Live.com - ASP.net
    Wikipedia - PHP & MySQL
    Amazon.com - C++, Java, J2EE

    ReplyDelete
  11. 10 years is more a couple lifetimes for any web app, that's kind of unrealistic. But you can still find old HTX/IDC scripts and crusty VB CGI executables puttering along if you know where to look, so honestly either will probably be okay.

    PHP might be more okay though - right now you can download & compile PHP 3 from here, set up Apache 1.3, and watch it spit out pages exactly like it did a decade ago. Finding commercial/third-party support for it will be painful, but still possible - everything you need to recreate a 10-year-old web server is all right there in plain view.

    With a language & framework that are tied to a closed OS, which in turn is tied to security hotfixes that can't be ignored, you might have a harder time of it. IIS still handles "classic" ASP and .NET 1.0, but should MS decide to pull support for them 10 years from now because fundamental changes in .NET XIV require it, you might end up stuck between a possibly insecure server and praying you never lose the old install disks. (then again, there's also Mono)

    Still, 10 year lifespan for a web app... that's a long time, things continue to change too fast to guarantee anything on the web will last that long, including the web itself.

    ReplyDelete
  12. I started writing this as a comment to BC's answer, but ran out of characters :-)

    BC is right that ASP.Net has evolved, but that's more a plus than a disadvantage. Upgrading an ASP.Net application is generally rather straightforward: there are very little breaking changes between platform versions.

    First, it's not fair to compare ASP with ASP.Net here. That would be the same as saying that it's hard to move to ruby on rails to php.

    Between .Net versions, the compatibility level has always been really high, and the breaking changes are generally well documented. From experience, I can say that most applications written for .Net 1.1 will work 99.99 % sure without any modification to the code. Also, the tooling (Visual Studio) fully supports the upgrading process. Obviously, new versions bring new features (LINQ comes to mind), but those really are opt-in: you use them when you're ready and if there's any benefit in using it.

    ReplyDelete
  13. Performance note:

    for heavy mathematical stuff .NET is better because it is compiled.
    But that's not the really use case for a regular website and/or web application.

    I've analyzed displaying a general search (not heavy) results page both running on the same server on IIS6.
    The difference is huge, why? I believe it is because .NET has to load a bunch of crap to show a page, whereas as php does it directly.

    We've made a bunch of test cases with real people using stop watches to measure since the moment you click, till the page is shown.
    PHP came out about 20 xs faster in average. (PHP avg .25s, .NET avg 5s both on IIS6).

    And that's what counts in our case :/

    PS: yes, it was a really old and slow server :x

    ReplyDelete
  14. For a shopping site, php is probably the better choice IMHO. However for in-house sites heavy on business logic, Asp.Net is the route to go. One aspect I'd like to mention is that for the most part, Asp.Net uses the same .Net libraries as all .Net applications. Classes created for Asp.Net can be reused "as is" in .Net desktop applications. Simply include the same classes in both projects. What this means is that web apps and desktop version of the apps can be written with the only real coding difference being the front ends.

    Public Class X

    Public Shared Function Foo(msg as String) as String

    Return "You Said " & msg

    End Function

    End Class

    In Asp.Net:
    Textbox1.Text = X.Foo("hi")

    In .Net Windows app
    Textbox1.Text = X.Foo("hi")

    Simple example, but you get the idea.

    ReplyDelete
  15. Let us be realistic.

    PHP:


    Is FREE Practicality-wise, who wants to pay when you can have something for FREE?
    Open source You can have a lot of control not only in what you want to do but what you also want the platform to be like. You can recompile it to match your needs.
    Backed by a vast and large community behind it. Posting a question on any PHP forum, you will easily get an answer
    Speed I read someone said ASP.net is faster than PHP. Oh yes but Linux is way faster than Windoes right? Windows is full of bloat and clunky unnecessary features and this is the kind of environment where you will run ASP.net. Unless you can run ASP.net on Linux in which case Microsoft will freak! So overall ASP.net won't run faster than PHP in this kind of environment and besides who says IIS is faster than Apache? Anyone? Prove it.
    Consistent Like a child with tantrums, Microsoft has a nasty habit of abandoning softwares, OS, platforms and system it has released whenever it wants to without regard for its users. If it does not opt for abandonment it has the habit of suddenly changing it. Look what happened to Visual Basic 6 and to Classic ASP. Instead of improving it, it changed it a lot that programmers have to relearn everything. There is no consistency and developers and users are at their mercy.
    Buggy Oh yeah Microsoft has the habit of releasing buggy wares. Look: Windows 98 and Windows Vista and those are OS used by millions how much more those development platforms used by the lesser half? If it's not buggy it does not have the need to release patches every now and then. I usually come across ASP.net powered sites sometimes an error pops right on me with lots of info. It gives more info than the typical PHP error and that is not good on the perspective of security. You are actually giving clue to potential hackers.
    Security Who says Windows is more secure than Linux? Linux was conceived with security in mind right from the start.

    ReplyDelete