Terry Chay has written up a detailed response to common complaints about PHP security. He addresses many of the common complaints thrown at PHP such as PHP’s use of the global namespace, PHP’s decision to turn off register_globals in 4.2, and the problems with features such as stripslashes and magic quotes (which I’ve blogged about previously).
One of the interesting points he makes is that there is a shifting balance between ease of use and flexibility on the one hand, and security on the other. Much of PHP’s success can be attributed to its ease of use in early versions. Terry argues that, relative to other languages, PHP is very much focused on flexibility, and that the only solution to the possible security implications this can generate is better education. He puts in a plug for the PHP Security Consortium who publish material to educate other PHP users about best programming practices in order to ensure security (led by Chris Shiflett, the group has published a guide available in HTML or other formats).
The idea that a lack of security can be justified by ease of use is one that I’m not entirely easy about, as part of me feels that in an ideal world, the language should make sure that the easiest way to do things is also the right way. But, of course, the issues are complex and he is, after all, speaking in generalisations, on the defensive over similar generalisations and absolutes levelled at PHP on Slashdot.