Yes, php vulns might account for forty whatever % of vulns on the lists, BUT let's look at what products these vulns are found in. JoeBlow's personal Wiki app that probably says "hey i'm just learning php this code might suck use at your own risk," or BobHo's myPHPForum that he wrote for his college web app class. The reason for all these stupid vulns is that certain moderators of certain lists don't exercise any discretion and let every garbage piece of ahem vulnerability through. Hence the reason I filter everything with XSS in the subject on all my list subscriptions. Well XSS and !Adobe this weekend ;)

Also, a comparison like "all languages let programmers shoot themselves in the foot" or however it was worded and then comparing c/c++ to php doesn't make much sense. PHP let's any newb whip up a script that actually does stuff. I could show my mom how to write a simple blog in php. That is not the case with c/c++. PHP has a quick bang for the buck which is why you have all these people writing out apps, "hey i got it to work and that's good enough for me", that are hole ridden. Of course experienced c/c++ programmers write holy code as well, but in order to write a somewhat functional application in those languages you need some level of programming skill (maybe not skill, but experience at least).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/427/34245#34245