Stefan Esser retires from PHP security response team

Andy Armstrong andy at
Tue Dec 12 10:58:02 GMT 2006

On 11 Dec 2006, at 22:44, Peter Corlett wrote:
> PHP is very much the kind of thing where you peer into the barrel,  
> see a whale, and wonder why you should bother wasting a bullet on it.

It's an interesting insight into what makes a language popular. It  
seems to me that the main thing PHP ever had going for it was low  
cost of entry. You install it on a web server and suddenly all your  
HTML can magically have fragments of code embedded in it.

On security the attitude shown to tainted data is particularly  
revealing - Perl (and Ruby &c) have taint mode - which forces you to  
address the taintedness of the data. PHP has 'magic quotes' which SQL- 
escapes any parameters so that inexperienced programmers think the  
data is safe and don't bother checking it further. Literally a false  
sense of security.

Andy Armstrong,

More information about the mailing list