I think that when most people hear "PHP" and "security" used in the same sentence, it seems about as out-of-place as, say, putting "Rasmus" and "Terry" in the same sentence. Basically this thread summarizes how most people view PHP security.
He goes on, giving four main points/excuses that people give about PHP's security, and refuting each one:
- PHP has the worst security history of any language.
- PHP shoves a mess of shit into the global namespace (or other assorted digs on register globals).
- PHP doesnâ€™t have the concept of a prepared statement.
- PHP security cures (magic quotes, safe mode, stripslashes) are sometimes worse than the disease.
Read on for the full story...