During the month of May, the PHP community attempted to mop up security flaws in the open-source language. Most of the 60 flaws uncovered would require local server access—in other words, the developer would have to be attacking his or her own server.
“PHP was not designed to protect against such scenarios, and while it does some best-effort attempts to protect against casual hacking attempts, it doesn’t pretend to promise bulletproof protection against untrusted developers with code access,” said Andi Gutmans, CEO of PHP vendor Zend. “As such, it’s likely there are dozens of other similar issues in PHP, perhaps even more, and while we do consider them bugs, we don’t consider them as critical security issues.”
Other bugs found during the month would be avoided if all developers followed best practices. “PHP, like all development languages, is only as secure as the code people write in it,” Gutmans explained. “The main important thing developers have to know is that when they deploy a Web application — whether it’s written in PHP or in any other language — they’re deploying into a hostile world. It’s therefore important for everyone to get security training.”