Serious Crypto Bug Found In PHP 5.3.7

Trailrunner7 writes "The maintainers of the PHP scripting language are warning users about a serious crypto problem in the latest release and advising them not to upgrade to PHP 5.3.7 until the bug is resolved. PHP 5.3.7 was just released last week and that version contained fixes for a slew of security vulnerabilities. But now a serious flaw has been found in that new release that is related to the way that one of the cryptographic functions handles inputs. In some cases, when the crypt() function is called using MD5 salts, the function will return only the salt value."

Re:PHP can't get better. It drives away anyone goo

Let me get this straight. You're accusing him of needing "more logical organization" in his thoughts, all while you're defending one of the worst programming languages ever to be created? And it's the message that matters, not who delivered it. You've missed the message by focusing solely on the messenger.

This bug never should have happened. There's absolutely no excuse for it. Even a shitty programmer would not have made this mistake. Seriously, go look at the diff of the fix. It's mind-boggling that it happened in the first place.

This kind of bug never happens in Java-based web frameworks, or .NET-based web frameworks, or Python-based web frameworks, or Ruby-based web frameworks, or Perl-based web frameworks. Nobody else screws up like this. But somehow PHP manages to do this constantly. Look at its changelogs, for crying out loud. It's one pathetic bug after another, year after year, even in their most stable releases. It clearly must be a problem with the PHP community, because nobody else is affected by this problem to the degree that PHP is. Not even Microsoft, I dare admit it!