http://www.perlmonks.org?node_id=589796

There's an article on SlashDot that links to an article on heise Security that Stefan Esser, a member of the PHP Security Team, has resigned. Among other reasons, he states that "any attempt to improve the security of PHP from the inside is futile".

Let the bashing/flaming begin!

Jack

Replies are listed 'Best First'.
Re: Fuel for the Perl vs PHP fire
by themage (Friar) on Dec 14, 2006 at 12:40 UTC
    Hi,

    Before anything else I would like to say that I'm a Perl Programer, and that Perl is my elected language. I'm expecting Perl6, and code handreds of Perl lines every day.

    However, I know also enought PHP to see that NOW, PHP have things where it beats Perl. Let's be realists:
    • PHP 5 object syntax is VERY good;
    • There are thousands of complete aplications in PHP, ready to use;
    • Almost every hosting solution suports PHP;
    • Everyone thinks PHP is easy to learn, so everyone try it.

    On the other hand:
    • PHP don't have scope;
    • Most aplication are direct to the point, and most are not easy to adapt to a similar (but not equal) situation
    • Secutiry in PHP is weak
    • Almost all PHP newbies could be Perl newbies if it was Perl that everyone thoght it was simple
    • We are (all?) grateful it isn't, this way Perl code is more secure, more complete and more flexible

    But, any way, I think we need more aplication written in Perl, specially ready to use aplications (specially for web, where We have very good resources/workbases, like ModPerl, Catalyst, Mason, and a lot of others).

    TheMage
    Talking Web
Re: Fuel for the Perl vs PHP fire
by syphilis (Archbishop) on Dec 14, 2006 at 12:13 UTC
    "any attempt to improve the security of PHP from the inside is futile"

    I think that could have been written more succinctly:

    "any attempt to improve PHP is futile".

    Ooooow ... don't you just love snobbery :-)

    Cheers,
    Rob
Re: Fuel for the Perl vs PHP fire
by sauoq (Abbot) on Dec 14, 2006 at 22:05 UTC
    Among other reasons, he states that "any attempt to improve the security of PHP from the inside is futile".

    I'd call this good news for PHP. Now that Stefan has put himself on the outside, he'll release more vulnerability reports and the external pressure of publicity will hopefully force fixes to be made and incorporated into the core more quickly.

    -sauoq
    "My two cents aren't worth a dime.";

      Even if the PHP developers released security fixes more frequently, how often do cheap hosting providers upgrade? Upgrading PHP applications has been risky in the past, especially when fixes broke backwards compatibility.

      PHP has a difficult time ahead.

        At some point someone should write a refactoring PHP-to-Perl 6 translator. I think a lot of people will be ready for it by then.
Re: Fuel for the Perl vs PHP fire
by sir_lichtkind (Friar) on Dec 14, 2006 at 13:17 UTC
Re: Fuel for the Perl vs PHP fire
by wazoox (Prior) on Dec 14, 2006 at 17:23 UTC
    I notice the article's mentioning "remote security holes in php applications". There's not much to be done in the php engine if the applications themselves are poorly written, not much that wouldn't break compatibility anyway.