PHP Security Consortium Launched

Chris Shiflett writes "We're happy to announce the official launch of the PHP Security Consortium (PHPSC). Our mission is 'to promote secure programming practices within the PHP community through education and exposition while maintaining high ethical standards.' You can read the official press release or visit us at phpsec.org."

Wow!

They must have offices next door to the MySQL Data Integrity Consortium and the Internet Explorer Web Standards Consortium.

Re:Want to make PHP more secure?

[shiflett]

Drop all insecure legacy features like "register globals".

As mentioned here, we recommend that register_globals be left disabled. It has been disabled by default in PHP since version 4.2.0.

HTML ESCAPE BY DEFAULT.

This is a poor approach. Data should be filtered on input and properly escaped for its particular purpose on output. Escaping data for one particular purpose on input requires developers to unescape it for any other use, and this unnecessary complexity poses a security risk. Properly educating users as to what functions are there to help properly escape data is our approach. For example, want to avoid XSS? Escape your (already filtered) data with htmlentities(). Want to avoid SQL injection? Use an escaping function specific to your database of choice such as mysql_escape_string().

Then I'll start to take PHP seriously.

We are not an advocacy group. Our purpose is to promote secure programming practices within the PHP community, not promote PHP to other groups. PHP is already taken very seriously by some of the web's largest and most heavily trafficked sites.