Month of PHP Bugs Has Begun 165
An anonymous reader writes "The previously announced Month of PHP Bugs started three days ago, and already lists 8 security vulnerabilities in PHP and PHP related software. From the site: 'This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team.'"
Re:Defective by Design? (Score:3, Insightful)
No, I wasn't. One more reason not to use phpBB, I guess.
PHP taint what it should be (Score:2, Insightful)
Maybe. PHP is a wonderful interpreted language that makes creating a web application easy. The biggest problem with PHP are the entry-level programmers who don't understand the beast that is web programming.
Many PHP programmers don't understand the number one rule of secure web programming: All user data is evil. Anything that comes from an HTTP request can not be trusted. Heck, I don't trust it even after it has been stored in a database table or the file system. I would love to see a Perl-ish taint mode built into PHP that tells the programmer "This data has come from an insecure source. Please don't eval() it or unserialize() it or write it to disk. Cheerio."
Be Prepared? (Score:2, Insightful)
Re:Defective by Design? (Score:5, Insightful)
It may never completely go away, but there are alternatives to using it.
Re:Be Prepared? (Score:2, Insightful)