On Sep 28, 2013 10:39 AM, "Peter Lind" <peter.e.l...@gmail.com> wrote: > > So you're stuck with two choices: accept that PHP security is lax and that as a result a lot of code will have many attack vectors, or try to change the language itself for the better. The third option of "educate" is a mirage. >
PHP provides you with all the tools you need to write secure apps. I could go around writing mysql_query($_REQUEST["blah"]) but I don't. Why? Because I have been educated. We don't have restrictions in the core that prevent me from doing it, and we don't need them either. I agree with you, being secure by default is a worthy objective, but the proposal here shouldn't even be on by default. (remember not everyone is able to control their ini settings and whatnot) Education is not a mirage. People picked up their insecure coding habits from somewhere, and if its from laziness then I don't think they really deserve protecting. If it was from a terrible blog article promoting insecure practices then we need better articles. There's not much we can do to remove the content that's already out there, but there's a lot we can do with providing new, up to date and accurate content.
