Andrew McGlashan wrote: > Yes, but insecure code is so easy to make and even the so called experts > are making them. There is even an O'Reilly book that has wrong > information that is leading programmers astray. The protections > provided by Suhosin in the past may _always_ be required and necessary. This is all so nebulous and vague. Is there an example that could be cited of a case that the suhosin patch will protect against in the php 5.4.4 interpreter? Even one example would really help drive the point home. > It's not as bad as 95% of people running Java are using older versions > that are known to be exploitable, but there is plenty of exploitable PHP > code -- some may remain for years on non-patched servers, but new and > properly patched servers shouldn't be part of the problem. PHP needs > to, upstream, make sure that programming flaws cannot be exploited and > that is what Suhosin aims to achieve. Bad code will be there, we need > to be protected from it one way or another. So... Why isn't upstream PHP being pressured to address the problem? And if they are really so bad why are so many people still using it? Yes I have seen a lot of really horrid php code. But I am not a heavy user of other people's code. I am supporting one php application that I wrote and that is it at the moment. And since I wrote it I am very familiar with the internals of it. But it isn't representative of "other people's code". Bob
Attachment:
signature.asc
Description: Digital signature