PHP Security Consortium Launched 64
Chris Shiflett writes "We're happy to announce the official launch of the PHP Security Consortium (PHPSC). Our mission is 'to promote secure programming practices within the PHP community through education and exposition while maintaining high ethical standards.' You can read the official press release or visit us at phpsec.org."
Re:Good to see (Score:5, Informative)
I guess you missed the PHP Security Guide [phpsec.org]?
:-)
Re:Want to make PHP more secure? (Score:5, Informative)
As mentioned here [phpsec.org], we recommend that register_globals be left disabled. It has been disabled by default in PHP since version 4.2.0.
This is a poor approach. Data should be filtered on input and properly escaped for its particular purpose on output. Escaping data for one particular purpose on input requires developers to unescape it for any other use, and this unnecessary complexity poses a security risk. Properly educating users as to what functions are there to help properly escape data is our approach. For example, want to avoid XSS? Escape your (already filtered) data with htmlentities(). Want to avoid SQL injection? Use an escaping function specific to your database of choice such as mysql_escape_string().
We are not an advocacy group. Our purpose is to promote secure programming practices within the PHP community, not promote PHP to other groups. PHP is already taken very seriously by some of the web's largest and most heavily trafficked sites.
Re:Want to make PHP more secure? (Score:1, Informative)
http://phpsec.org/projects/guide/ [phpsec.org]
http://phpsec.org/library/ [phpsec.org]
I'm not sure if this counts, but Zend offers online training [zend.com], and one of their advanced courses is Securing PHP Code [zend.com].
There are two scopes. If that's too many, programming might just not be your thing.
This is in reply to the bit you quoted? If so, perhaps this will help:
http://www.answers.com/propaganda [answers.com]