I missed a lot of the bad press about PHP and Santy in the last days,
since I’m here in the middle of the Alps. But one concerned PHP user,
David Chui, sent this mail to the Planet PHP address and I’d like to
publish some of his mail here. This is his opinion alone and I don’t
necesseraly totally agree with him …
I just wanted to pass along my concern about the beating that PHP is
taking all over the press. Actually not just a beating, it’s really
being shit on, frankly. I’ve been looking around at all my usual large
PHP sites, and not one word about the bad press, not even on phpBB.
I’m amazed. I can only conclude that PHP people might be saying
something like, “we put the patches out months ago and if people don’t
install them, then too bad, and we’ll just wait ’til this blows over”.
That’s fine, except then there’s no response to all the disinformation
out there. The non-tech-savvy sites are making it sound as though all
PHP is susceptible to these attacks. I read enough to check on my
version of PHP and what commands to look for in scripts, so I think I’m
OK. I write scripts, and even I’m not completely sure.
But your average corporate manager who is trying to decide what web
platform to use may be thinking, “wow, PHP looks like it has no
security”. And Microsoft has got to be loving that. Wouldn’t you
agree? And wouldn’t a short, clear statement/response about this would
be helpful in getting the truth out there?
Instead, PHP.net and other places look as though they just have their
heads in the sand. I suppose that’s a weakness of the open-source
movement; since there are no managers, no one ever will stand up to
take the heat.
I love PHP, and I want it to continue to grow. I hope that your site
and others will address this with simple statements that will
acknowledge the problem, describe what to do about it, and describe how
PHP will guard against more of that.