Re: [tlug] Do you whitelist or blacklist utf-8?

[Darren Cook <darren@example.com>]

> You've probably already seen the other replies, but the
> number of PHP vulnerabilities was overwhelming a few years back.

I've not see any reply yet to tell me that a recent release of PHP is
"insecure". Josh's googits can just as easily be interpreted as "more
eyeballs looking at PHP mean more of the bugs are fixed".

What would make me sit up and pay attention is if you showed me that a
php 5.2.x or 5.3.x release was released with serious security bugs in
the core (as opposed to in some new specialist library that has just
been added).

As far as I know most of PHP's bad security reputation is due to bad
practices in frameworks and software built with PHP, and mostly before
attacks such as XSS has even been invented. But I know the reputation
annoys the core developers, so they have been very security conscious in
releases in the past few years; a bit like a female doctor in a
male-dominated hospital who feels she has to work harder than everyone
else to prove herself.

The very big websites using PHP, such as Facebook and Wikipedia, never
complain about PHP not being secure enough. When giving the pros and
cons, the only con I see given is: "PHP isn't as fast as C" [1].

Darren

[1]: See https://github.com/facebook/hiphop-php/wiki/ for one way
Facebook deal with this.


-- 
Darren Cook, Software Researcher/Developer

http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)