“Geeks in a Flamewar” A PHP Tragedy in 3 Acts
Dear Reader,
DISCLAIMER: I am posting this on my personal blog because it is my opinion. Nothing said here should be construed as endorsed by my employer. You got a problem with it, come to me.
Yes, there is high drama on the web again. This time thought it does not involved the ever so cute but ditzy Amanda Congdon. No, this time you’ve got “Geeks in a Flamewar”. Allow me to recreate for you, if I can, the events of this fracas.
First there was:
http://www.owasp.org/index.php/PHP_Top_5
This article was widely covered in the PHP community including myself. It was a bit shallow for a security paper and it certainly did not seem to live up to it’s claim of
This article is the underlying research behind the SANS Top 20 2005′s PHP section. The methodology used in the preparation of this article is to review all Bugtraq postings containing the word “PHP” and categorize each unique flaw. The author analyzed the most popular flaws / attacks, and researched prevention techniques, resulting in this article.
But it was an easy read so a lot of us liked it.
Next came:
http://blog.php-security.org/
This one is a bit more amusing to read but the author does make a point. ( A single point, but a point no one the less) After ranting about self-appointed teachers
However, as usual it is my duty to protect the PHP community from getting harmed by their self-proclaimed teachers.
The author takes apart one of the 5 examples in the original article. While I don’t recognize the author as anyone other than yet another self-appointed teacher, his sample code and his points about the original article are on the mark.
He also insinuates that he could do the same with the other 4 points. I wish he had but in a bit more professional manner.
http://www.greebo.net/?p=353
This is apparently the blog of the author of the original article. From the start, we’ve abandoned the concept of professionalism and the claws have come out. It’s an interesting read despite the fact that it’s devoid of anything that can be construed as a point; Unless you consider the rant itself a point. The author even calls for the death of PHP and implies that because if PHP6 doesn’t implement his security scheme, it must be hopelessly flawed.
But, wait. There’s More!
After you finish the article, there is desert in the form of the comments. Both parties are now participating. You don’t get to see intellectual discourse on this level unless you are a grade school teacher. With lines like this one, taken wholly out of context, it’s hard not to crack a smile.
“ps. My ego is the size of a small planet. I try to not show others that often, as it makes them jealous. Seriously, this is not about my ego.”
Um, if it’s not about your ego then why are you discussion it?
And just because I’m quoting one author doesn’t mean that the other author was any more articulate. No, both of these authors reached deep inside of them and tapped their inner child to help them with their arguments.
It’s sad because at the root of this, you have two people who obviously know something about PHP and care about it. Both, in their own way are trying to affect it for the better. Sadly, both are also trying to make a name for themselves by tearing down others.
My advice to each of you. (DISCLAIMER: I’m just a humble programmer and part-time blogger. I am no expert and no self-appointed teacher. My motivation for offering you this advice is not to sell books to google ads, it’s to make my life easier by not having to wade through this crap to get to some real advice on PHP Security.)
1: Be transparent in your motives. The original article does not disclose that Chris Shiflett is a member of the organization or at least a friend of the author. If it had, that would have made the numerous references to his book less of an issue. It’s ok to promote the work of your members as long as it’s good and people know that’s what you are doing.
2: Be professional. A serious rebuttal to the OWASP article, devoid of the rants and self-promotion and backed up by peer-review would have been an excellent read. The one that was posted was neither serious nor peer-reviewed.
3: It’s not always about you. The second and third articles (as well as the comments) are more about ego than about PHP. Let’s try having a discussion about PHP for once that actually centers around PHP.
Until next time,
(l)(k)(bunny)
=C=
