Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Security Expert Resigns

Posted by samzenpus on from the good-day-sir dept.

juct writes "PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser has quit the PHP security team. He feels that his attempt to make PHP safer "from the inside" is futile. Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and urges Stefan to work with the PHP development team instead of working against it. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not." Update: 10/30 12:57 GMT by KD : Zeev Suraski wrote in to protest: "I'm quoted as if I 'point fingers at inexperienced developers,' and of course, there's no link to that — because it's not true! The two issues — security problems in Web apps written in PHP, and security problems in PHP itself — are two distinct issues. Nobody, including myself, is saying that there are no security problems in PHP — not unlike pretty much any other piece of software. Nobody, I think, argues the fact that there have been many more security problems at the application level, then there were at the language level. I never replied to Stefan's accusations of security problems in PHP saying 'that's bull, it's all the developers' fault,' and I have no intention to do it in the future."

3 of 386 comments (clear)

  1. Security expert's advice is very easy. by jez9999 · · Score: 0, Flamebait

    use Perl;

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  2. Re:Uh-huh, riiiiiiiiight... by Goaway · · Score: 1, Flamebait

    C is a language for experts. It should, and does, prioritize power over security.

    PHP is a langauge for beginners. You'd think it would prioritize security over power, but then it just copies C APIs with zero security functionality. (See the mysql_* functions. )

  3. Re:Java made easier by chez69 · · Score: 0, Flamebait

    you don't need a whole freaking J2EE stack to do web programming in java, it's really easy to get a tomcat installation setup and write some jsps.

    J2EE is a huge specification, but nothing requires you to use all of it.

    --
    PHP is the solution of choice for relaying mysql errors to web users.