Author's credentials: not enough knowledge about PHP's development?
Posted Dec 22, 2006 16:19 UTC (Fri) by denials
Parent article: The state of PHP security
Note that the author's resume, posted at http://www.edge2.net/, states that he has "20 years of system and application development experience using C and Perl", with the only reference to PHP being "2+ years of website backend development" which mentions PHP only in passing.
PHP has often been attacked as being insecure by design, and the author has teased out some of the history of the development of the language in which the developers tried to balance PHP's low barrier of entry with reasonable default security. However, talking about the default settings in PHP 4, when PHP 5 has been available for a couple of years now with safer default setting, and when PHP 6 (which will drop some of those insecure options all together) is likely to see the light of day in 2007, is simply unfair.
Speaking of unfair, pointing to an interview with Rasmus from 2002 reflects poorly on the author's journalistic balance. One can point to many instances of Linus making a decision about the direction of Linux on a specific issue, then turning around a month or a year later and admitting that he was wrong. Yet we do not pillory Linus by focusing on his original decision and ignoring his changes of mind. As an example of Rasmus' change of mind, the PHP 6 planning meeting from November 2005 (which included Rasmus) concluded that PHP 6 would drop register_globals, magic_quotes, and safe_mode entirely. See http://www.php.net/~derick/meeting-notes.html for the details -- this is the top hit in Google for "php 6 plans", by the way. The author could have easily done a little more research to find out what direction PHP was truly heading in, and providing an updated description of Rasmus' stance on these issues today.
to post comments)