I am disappointed (but not surprised) to see Stefan Esser resigning from the PHP Security Team. All my security interactions with PHP have been disappointing, to say the least. Amazingly enough, Zend, who make money from PHP, say
It is not the case, however, that the PHP project is trying to conceal the fact that PHP has been implemented in a very unsafe way. But Suraski [Zend CTO] does think it preferable to produce a patch before publishing any bug report.
Yes, it is preferable, but you have to actually produce the patch. Failure to do so is not a reason to withhold the security flaw – if we follow that path we’re back to the bad old days where security flaws get brushed under the carpet and users suffer. PHP need to get with the program: fix the bugs in a reasonable amount of time, or have the world know what a useless bunch you are.
Esser paints a pretty bleak picture of an institutional head-in-the-sand attitude in the PHP developer community
… as soon as you try to criticise PHP security, you become persona-non-grata in the security team. In addition many of his suggestions were ignored because the developers considered Esser’s choice of words, too abrasive. He says that he had stopped counting the number of times he was called a traitor when he published a bug report on a vulnerability in PHP.
… bugs were sometimes not correctly fixed or were re-introduced. This was often not noticed because there was no test-rig for exploits and the idea of having one was categorically rejected.
I’ve always advised against PHP because of its lack of security, but now I know its developers are actually actively campaigning to ensure it is insecure I think its time I worked a bit harder at it.
So: PHP security sucks. Don’t use it.