Troubling News for PHP?

by Curtis Poe

Recently I was pointed to a blog entry announcing the retirement of Stefan Esser from the PHP Security Response Team. Stefan, amongst other things, developed Suhosin, a PHP security tool. His retirement announcement was extremely disturbing and is worth reading.


14 Comments

enygma
2006-12-11 12:23:13
Remember, problems with an application written in PHP (especially with something like SQL injections) aren't problems with PHP the language.


Also remember, there are others on this team that will carry things on. Stefan just happened to be the most vocal.

Ovid
2006-12-11 12:39:23

enygma, as mentioned:


I hacked on one PHP app that horrified me because of how poor it's security was, but this is not a reflection on PHP.


I do realize there's a huge difference between the two. The problem is that Stefan implied that people working on the PHP language didn't seem as concerned about security. If true, that's a huge problem. That's why I found his post very disturbing, but again, I have no way of knowing if his implications are correct.

Charles
2006-12-11 13:08:49
IIRC, he made some rather brash and inappropriate statements the other day in regards to how certain binary compilers/optimizers were "anti-open-source" by letting application developers declare that their compiled scripts could not run when certain extensions were detected. This is probably fallout because of that.
nomatter
2006-12-11 19:17:58
Charles is on the right path. Don't do FUD the favor of making speculation into news. Gossip and heresay belongs on the magazine rack, not on oreilly.net.
Joel
2006-12-11 20:16:06
Stefan made some nice contributions to the PHP community, but to say he was a crank is a massive understatement.
Revence
2006-12-12 02:03:18
I read your blog often, but this should be the first time I post.


I can't help noticing how very carefully you choose your words, and how you leave room, almost always, to be wrong. That's rare. And for a guy as smart as you are, that's rarer. But that's why genius is rare.


That's all. No real comments on this. Just noting the mode of expression used (consistently).

Ovid
2006-12-12 02:28:52

Revance wrote:


I can't help noticing how very carefully you choose your words, and how you leave room, almost always, to be wrong.


That's just because I'm wrong so often. Honestly.

Matthew Weier O'Phinney
2006-12-12 11:16:34
I'm a PHP developer (as in codes with PHP, not creates the language) by trade (started with perl, and still do some), and follow the PHP blogs pretty closely. Stefan is incredibly knowledgeable about security issues, and definitely an authority. However, that said, he's also one of the most abrasive developers I've read. The language he typically uses in his posts is antagonistic, and as a result, he's had a lot of difficulty pushing through security initiatives.


I don't think those developing the PHP language do not care about security, as Stefan is alleging; several, including Ilia Alshenetsky, are well-known for their security expertise and contributions in that area. I think the biggest issue here was a clash of personalities between Stefan and others on the PHP team.

foobarph
2007-01-06 01:56:07
well, im not alarmed with his crux. i'm sure he will still contribute to php community. let's just wait...
maxer
2007-01-18 19:49:58
HELLO,
URGENT
I NEED A PROGRAM OR A PHP SCRIPT THAT CAN EXTRACT (E M A I L) AND OTHER INFORMATION FORM ANY USER OF EBAY. THE SCRIPT SHOULD WORK LIKE THIS: IN A BOX WHEN I ENTER AN EBAY USER ON SUBMIT THE PROGRAM MUST SHOW THE (E M A I L) ADDRESS OF THE SPECIFIED USER FROM EBAY.
IN THE OTHER BOX WHEN I ENTER THE EBAY ITEM # AND SUBMIT IT SHOULD REVEAL THE EBAY BIDDERS WITH THEIR (E M A I L) ADDRESES AND THEIR BIDS.
DEMO REQUIRED BEFORE I BUY, I NEED TO TEST IT AT LEAST 24H - 48H. I can offer you 1500 USD per week!if you can contact me at: ralcosm@yahoo.com ...


Thank you!

woyaokan
2007-01-21 09:45:16
http://www.javatag.com find php doc by javadoc styles
powertraderltd
2007-03-15 06:14:56
I NEED A PROGRAM OR A PHP SCRIPT OR ANY OTHER TYPE OF SCRIPT THAT CAN EXTRACT (E M A I L) AND OTHER INFORMATION OF ANY USER OF EBAY. THE SCRIPT SHOULD WORK LIKE THIS: IN A BOX WHEN I ENTER AN EBAY USER ON SUBMIT THE PROGRAM MUST SHOW THE (E M A I L) ADDRESS OF THE SPECIFIED USER FROM EBAY.
IN THE OTHER BOX WHEN I ENTER THE EBAY ITEM # AND SUBMIT IT SHOULD REVEAL THE EBAY BIDDERS WITH THEIR (E M A I L) ADDRESES AND THEIR BIDS.
DEMO REQUIRED BEFORE I BUY, I NEED TO TEST IT AT LEAST 48H. I'M WILLING TO PAY UP TO US$ 1500 FOR THIS SCRIPT.my email address is: power_traderltd@yahoo.com
zahid
2007-05-24 22:23:33
only for testing
Plagman
2008-01-26 18:01:11
furstkes
If you're already subscribed, you should be getting your issue any time now but, if you're not, there's two ways you can get your hands on a copy - either "quick buy" it from the php|architect website or subscribe and get this and other great future issues jam packed full of great PHP content