arborint wrote:I think only Harry Fuecks had a balanced view of things.
If I didn't think Andrew had valid points, I wouldn't have highlighted his post and started this whole discussion. :-)
arborint wrote:And how does the current complexity of PHP security square with Zend's "Extereme Simplicity" attitude? Should the 20/80 rule apply to PHP security too?
Absolutely. On the surface, it sounds like a bad idea, but it makes sense to focus on what's most important. Also keep in mind that the 80% to be addressed in the Zend Framework is 80% more than you have without it.
Maugrim_The_Reaper wrote:Blaming the entire language so broadly is a little too far. Developers are responsible for most security breaches in some way - at the very least they make unnoticed errors, at worst they lack the experience and rely too much on manual examples that don't mention the security implications of a some code example.
I agree with you, but I think Andrew's focus is that PHP can do more to help. I think the invalid arguments against PHP's security tend to blind us from the valid ones. Yes, it's possible to create extremely secure applications with PHP. It might also be possible for PHP to make this easier.
arborint wrote:But I am wondering about things like $_GET, $_POST, $_REQUEST, $_COOKIET, $_SERVER passing raw values from the client though by default. If they filtered by default
Filtered how?
jshpro2 wrote:write any application that has to have xml POSTd to it and this is the first thing you'll notice.
To be fair, this is only true for non-RESTful web services. :-)
Yes, and the Zend Framework has ZInputFilter, which (I hope) will also be a nice option.
arborint wrote:Sorry, I mean the raw values without basic XSS checks.
Like the following?
Hopefully I've just illustrated why "basic XSS checks" are not as easy as they may seem. Context is everything.
arborint wrote:But PHP makes it easy for a newbie to write insecure code
I think this is Andrew's main point, and it's a valid one. It's also a topic I've been giving a lot of thought recently, particularly regarding what the Zend Framework can do to help. Andrew added some pretty thorough comments here:
http://shiflett.org/archive/185
However, notice that he's comparing frameworks to PHP. As Marco noted, PHP is a foundation from which we can build. At that level, flexibility is very important. Many of the existing PHP frameworks, and certainly the upcoming Zend Framework, address many of Andrew's concerns.
He's now in touch with the PHP Group, so hopefully his other concerns can also be addressed. He's a smart guy and worth listening to. :-)