I missed a lot of the bad press about PHP and Santy in the last days,

since I'm here in the middle of the Alps. But one concerned PHP user,

David Chui, sent this mail to the Planet PHP address and I'd like to

publish some of his mail here. This is his opinion alone and I don't

necesseraly totally agree with him …

I just wanted to pass along my concern about the beating that PHP is

taking all over the press. Actually not just a beating, it's really

being shit on, frankly. I've been looking around at all my usual large

PHP sites, and not one word about the bad press, not even on phpBB.

I'm amazed. I can only conclude that PHP people might be saying

something like, “we put the patches out months ago and if people don't

install them, then too bad, and we'll just wait 'til this blows over”.

That's fine, except then there's no response to all the disinformation

out there. The non-tech-savvy sites are making it sound as though all

PHP is susceptible to these attacks. I read enough to check on my

version of PHP and what commands to look for in scripts, so I think I'm

OK. I write scripts, and even I'm not completely sure.

But your average corporate manager who is trying to decide what web

platform to use may be thinking, “wow, PHP looks like it has no

security”. And Microsoft has got to be loving that. Wouldn't you

agree? And wouldn't a short, clear statement/response about this would

be helpful in getting the truth out there?

Instead, PHP.net and other places look as though they just have their

heads in the sand. I suppose that's a weakness of the open-source

movement; since there are no managers, no one ever will stand up to

take the heat.

I love PHP, and I want it to continue to grow. I hope that your site

and others will address this with simple statements that will

acknowledge the problem, describe what to do about it, and describe how

PHP will guard against more of that.