Anybody considering using any application written in PHP should consider Marc Espie's option about the PHP language ( http://marc.theaimsgroup.com/?l=openbsd-misc&m=114664070319490&w=2 ) ----- quote ---------
I'm not the maintainer of php itself, but still I have an opinion. I don't like php, from a security point of view. It has an AWFUL track record. Some people will tell you it has seen lots of vulnerabilities because it's in heavy use. Well, I've had a look at the code, it has seen lots of vulnerabilities because it was never designed with security in mind. That said, we provide php because some people may want it. I personally would NOT want to run that on any kind of web server (in fact, I use perl's HTML::Mason as the same kind of framework). I can give you a simple answer though. Yes, php* is vulnerable. Doesn't matter whether you're talking about this vulnerability, or another. There will be another one lurking around the corner. Fixing vulnerabilities in the php code is like sticking a finger in a dike. Great legendary stuff, doesn't really work in reality. ------------------ end quote -----------
