<div dir="ltr"><div>My favorite essay on php ( <a href="http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/">http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/</a> ). In fairness, here's a response ( <a href="http://forums.devshed.com/php-development-5/php-is-a-fractal-of-bad-design-hardly-929746.html">http://forums.devshed.com/php-development-5/php-is-a-fractal-of-bad-design-hardly-929746.html</a> ). I have worked in PHP, but it is not a language which appears on my resume.<br>
<br><br></div>-- CHS<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jul 21, 2013 at 8:53 PM, JD <span dir="ltr"><<a href="mailto:jdp@algoloma.com" target="_blank">jdp@algoloma.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 07/21/2013 06:03 PM, Alex Carver wrote:<br>
> On 7/21/2013 14:05, Jim Kinney wrote:<br>
>> FACEBOOK IS SECURE?!?!?!?! when did that happen?<br>
>><br>
>> PHP, according to many security people far more knowledgeable than me,<br>
>> continues to suffer from design flaws in the core. Now add in the rampant<br>
>> proliferation of poorly coded add-ons and you get the mess that is PHP. It<br>
>> make Java look good.<br>
>><br>
><br>
> I'd actually like to see some site where the security issues of PHP are<br>
> discussed. Most of the things I've seen have to do with either old versions or<br>
> various "core" modules that may or may not be used in particular scripts but I<br>
> really do want to know what it is these security people find to be a problem<br>
> (partly so I can verify my own installations and ensure there's no major issue).<br>
><br>
<br>
</div>Software security is hard. I have doubts that any non-expert can secure any<br>
language enough to put code on the internet. There are many books, tutorials,<br>
best practices and groups trying to improve the security of software. The best<br>
group trying to create secure websites and web-apps seems to be the OWASP groups.<br>
* <a href="https://www.owasp.org/index.php/How_to_write_insecure_code" target="_blank">https://www.owasp.org/index.php/How_to_write_insecure_code</a><br>
* <a href="https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet" target="_blank">https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet</a><br>
but there are many others, usually aligned with each language. I know the Perl<br>
guys take security very seriously and have since the mid-90s, if not the beginning.<br>
<br>
I know a few professional PHP programmers and believe they are experts in the<br>
language AND in creating secure code as well as possible with the tools allowed.<br>
They've also been blindsided a few times when core libraries had poorly thought<br>
out implementations or buggy code was released. That happens with many languages.<br>
<br>