NYCPHP Meetup

[Jon Baer]

I partly blame the language ... I know of alot of people who complain  
about Java's strict typing/sandboxing + find it cumbersome and have  
to explain its there for a good reason.

First, get rid of this stuff ... $_GET['badstuff'] and all incoming  
defined variables period.  As long as it exists in the language  
people will complain about security ... Im suprised there is no fork  
of PHP to form a SecurePHP variant that takes this out or has strong  
wrappers for it (see 3).

Second, there needs to be a way to keep your shared libs and  
extensions up to date programatically w/ some type of scanner or  
method.  PHP is way too flexible and dependent on the system it sits  
on ... first you have PEAR libs, PECL C libs, --and-whatever-else-you- 
compiled-in.

Third, all the current PHP books (ok a few exceptions) on the shelf  
should be tossed out or redone, sanitize() methods should be *built*  
in to PHP (or $_SANITIZE['badstuff'])... ala http://www.owasp.org/ 
index.php/OWASP_PHP_Filters, then republish all the books.
After you build/compile/install PHP or as soon as you create a .php  
file on your PC/Mac, a window with this URL pops up ... http:// 
www.owasp.org/index.php/PHP_Top_5 ... in Ajax Web 2.0 style of course.

- Jon

> Number 2 is the real issue in my opinion.  The biggest problem is  
> the low
> adoption barriers.  When I've seen PHP code from developers that know
> another language, it's generally good - just like code in any other  
> language
> from a good developer - it's good.
>