Hello, I think this article is awesome. I am myself a PHP programmer and I always try to improve the security of my application; and I am also affected by some of my colleagues who don't have the same attitude.

However, I am totally against your presumption that PHP is a non-secure language; on the contrary, it is maybe the most secure on web, and this is maybe also one of the reasons it is so popular.

Just to mention the fact that "Security" chapter in PHP manual is one of the first that programmers can read; And you don't find this chapter, dealing things like SQL Injection, file injection, and so on in any other programming language manual; that proves PHP was concerning with security since the very beginning.

ASP (the old one, native for IIS) didn't even have at it's time, any function like mysql_escape_string()! If you wanted your application to be secure on ASP, you had to write yourself a function that was supposed to search and replace weird characters in strings in order to avoid SQL Injection. MOST of the other languages for web don't have AT THIS TIME functions or methods for escaping characters in XML, HTML or javascript! But PHP was designed since the very beginning with functions such as htmlspecialchars() or addslashes().

So I think PHP by itself is the most secure on web, but I tell you from experience you are totally right when you speak about inexperienced programmers who don't know PHP but they try to use it and they introduce bugs in their applications. On the other hand, these programmers would migrate to other language as well, if PHP were not the most popular, and they would damage the reputation of that "other" language too.

In the end, congratulations for this article, it's a very good one and I have the same opinions too. I am so glad to see someone who thinks the same way I do when it comes to security.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/427/34768#34768