here are some excerpts from e-mails I have received. I'm not saying "don't learn PHP. What I am saying is that some security professionals I am aquainted with seem to think there are innate problems with the design of the language.
<quote>
Call me "chicken little", but I am getting worried about the looming
Apache/PHP vulnerability out there:
http://news.com.com/2100-1001-850752.html?tag=cd_mh http://security.e-matters.de/advisories/012002.html http://www.cert.org/advisories/CA-2002-05.html
If you have a webserver on the internet with PHP I encourage you to
patch it NOW.
If the estimate of 1 million vulnerable php servers is correct, then
as soon as someone creates a worm program that can get a shell on a
vulnerable machine then all 1 million servers will be infected in
about 2 hours (assuming one machine can try to infect 10 random IP's/sec).
That would be worse than code red and a huge blow to Apache & OSS. :-(
I hope I turn out to be chicken little...
</quote>
which was followed by this
<quote>
>> I'll go one better than that. If you use PHP, STOP. They have
> > security bulletins released about once a week, it seems (o.k. I'm
> > exaggerating A LITTLE). About the only "vendor" with more frequent
> > releases is Microsoft...
>
> Eh, I don't buy that. Please back it up with some references.
Ok, I'll back down partially in that upon review, many of the
advisories I've seen I've mis-remembered; they were not actually PHP
advisories, but for software written in PHP. However, just this year:
http://online.securityfocus.com/archive/1/258995 http://online.securityfocus.com/archive/1/258662 http://online.securityfocus.com/archive/1/255037 http://online.securityfocus.com/archive/1/254846 http://online.securityfocus.com/archive/1/254005 http://online.securityfocus.com/archive/1/250196
Some of these are considered fairly minor, in that the vulnerability
is a possible exposure of what may be considered sensitive info. Some
of these are things that can be fixed by altering the configuration of
PHP. The problem is that it shows a pattern of failing to think
about programming security issues.
There are also some earlier advisories which complain about the design
of PHP encouraging the development of insecure code. It seems that
writing secure PHP scripts is also very difficult, and there are quite
number of advisories for software written in PHP, which are not
necessarily the fault of PHP, but perhaps encouraged by the design of
PHP.
I stand by what I said: if you're using PHP, it is my opinion that
you're better off from a security standpoint using something else.
You have to worry about security problems in the software written
using PHP, as well as those of PHP itself. For example, Perl has zero
reported vulnerabilities over the same period of time, and only one
report of a vulnerability in software written in it (a file disclosure
bug caused by bad input validation). I personally don't feel that PHP
has a track record that warrants confidence in the security of your
web server, and possibly your network depending on other trust
relationships with your web server. Better, mmore proven alternatives
exist.
</quote>
Linear Mode
