Over on the main PHP site, they have a new posting directed to the community for all those out there concerned about the security of PHP and the software that's been written in it.

PHP is a powerful and flexible tool. This power and flexibility comes from PHP being a very thin framework sitting on top of dozens of distinct 3rd-party libraries. Each of these libraries have their own unique input data characteristics. Data that may be safe to pass to one library may not be safe to pass to another.

When we talk about security in a web application we really have two classes. Remote and Local. Every remote exploit can be avoided with very careful input validation. [...] When you have PHP by itself with only a small set of extensions safemode and open_basedir are generally enough to frustrate the average bad guy, but for critical security situations you should be using OS-level security by running multiple web servers each as their own user id and ideally in separate jailed/chroot'ed filesystems. Better yet, use completely separate physical servers. If you share a server with someone you don't trust you need to realize that you will never achieve airtight security.

They offer up those suggestions to hopefully make coders out there aware that, just like any other language, PHP has its faults and issues, but, just like any other language out there - they are committed to correcting the issues and making all right in the PHP world...