An important PHP security developer retires

, with some rather harsh words on the project and PHP security.

While I agree that PHP by itself isn’t really insecure (actual security bugs excluded), the one thing I really blame PHP for is that it does not assist the developer at all in writing secure applications. On contrary, give a novice PHP developer some non-trivial task involving a database and some extra files and you’ll have at least two security issues.

I stopped using PHP some years ago for a few reasons, including above “security issues by default” (which IMHO are due to a badly designed language) and because PHP is heavily encouraging the user to mix design and application (which is a pain from a maintainance point of view). Of course you could do model-view-controller in PHP, but it doesn’t make it easy to do so (another thing why I consider the language to be badly designed). And don’t get me started on “register_globals”…

OTOH, some years ago I maintained a PHP extension, ming, which has recently found it’s way back into Debian. Back then, I had the impression that PHP itself is also a pain to package. Building an extension worked okay, but it seemed as if getting PHP to build and work reliably on all architectures with all extensions is a pain. (That maybe is why the php packages have many open bugs; and why it took e.g. four years to add packages for the pspell extension)