PHP in the Press

I missed a lot of the bad press about PHP and Santy in the last days,
since I’m here in the middle of the Alps. But one concerned PHP user,
David Chui, sent this mail to the Planet PHP address and I’d like to
publish some of his mail here. This is his opinion alone and I don’t
necesseraly totally agree with him …

I just wanted to pass along my concern about the beating that PHP is
taking all over the press. Actually not just a beating, it’s really
being shit on, frankly. I’ve been looking around at all my usual large
PHP sites, and not one word about the bad press, not even on phpBB.
I’m amazed. I can only conclude that PHP people might be saying
something like, “we put the patches out months ago and if people don’t
install them, then too bad, and we’ll just wait ’til this blows over”.

That’s fine, except then there’s no response to all the disinformation
out there. The non-tech-savvy sites are making it sound as though all
PHP is susceptible to these attacks. I read enough to check on my
version of PHP and what commands to look for in scripts, so I think I’m
OK. I write scripts, and even I’m not completely sure.

But your average corporate manager who is trying to decide what web
platform to use may be thinking, “wow, PHP looks like it has no
security”. And Microsoft has got to be loving that. Wouldn’t you
agree? And wouldn’t a short, clear statement/response about this would
be helpful in getting the truth out there?

Instead, PHP.net and other places look as though they just have their
heads in the sand. I suppose that’s a weakness of the open-source
movement; since there are no managers, no one ever will stand up to
take the heat.

I love PHP, and I want it to continue to grow. I hope that your site
and others will address this with simple statements that will
acknowledge the problem, describe what to do about it, and describe how
PHP will guard against more of that.

I tend to agree with him. There seems to be a lot of FUD in the air after the phpBB issue. We had a guy on one of the mailing lists for example, asking if Horde is vulnerable to Santy.e/phpInclude.Worm. “Seems like we are, since include() and require() are frequently used in all the code I’ve looked at.” Doh! Not sure if I should cry or laugh.

I think I might have gone a tad overboad with my response to the above over @ http://www.powertrip.co.za/blog/archives/000305.html and it’s prob a good thing that I’m not listed on PlanetPHP ;)

The media issue is very important in any fields and is concern also php … Fortunately there is some magazines about PHP wich could write more about security issue. So the solution to fight bad press, is to write good press articles !! i’ve already written an article for the next phptn french mag, and hope to see more from other open source
initiative.