Skip to content

“Geeks in a Flamewar” A PHP Tragedy in 3 Acts

Dear Reader,

DISCLAIMER: I am posting this on my personal blog because it is my opinion. Nothing said here should be construed as endorsed by my employer. You got a problem with it, come to me.

Yes, there is high drama on the web again. This time thought it does not involved the ever so cute but ditzy Amanda Congdon. No, this time you’ve got “Geeks in a Flamewar”. Allow me to recreate for you, if I can, the events of this fracas.

First there was:

This article was widely covered in the PHP community including myself. It was a bit shallow for a security paper and it certainly did not seem to live up to it’s claim of

This article is the underlying research behind the SANS Top 20 2005’s PHP section. The methodology used in the preparation of this article is to review all Bugtraq postings containing the word “PHP” and categorize each unique flaw. The author analyzed the most popular flaws / attacks, and researched prevention techniques, resulting in this article.

But it was an easy read so a lot of us liked it.

Next came:

This one is a bit more amusing to read but the author does make a point. ( A single point, but a point no one the less) After ranting about self-appointed teachers

However, as usual it is my duty to protect the PHP community from getting harmed by their self-proclaimed teachers.

The author takes apart one of the 5 examples in the original article. While I don’t recognize the author as anyone other than yet another self-appointed teacher, his sample code and his points about the original article are on the mark.

He also insinuates that he could do the same with the other 4 points. I wish he had but in a bit more professional manner.

Most Recently came:

This is apparently the blog of the author of the original article. From the start, we’ve abandoned the concept of professionalism and the claws have come out. It’s an interesting read despite the fact that it’s devoid of anything that can be construed as a point; Unless you consider the rant itself a point. The author even calls for the death of PHP and implies that because if PHP6 doesn’t implement his security scheme, it must be hopelessly flawed.

But, wait. There’s More!
After you finish the article, there is desert in the form of the comments. Both parties are now participating. You don’t get to see intellectual discourse on this level unless you are a grade school teacher. With lines like this one, taken wholly out of context, it’s hard not to crack a smile.

“ps. My ego is the size of a small planet. I try to not show others that often, as it makes them jealous. Seriously, this is not about my ego.”

Um, if it’s not about your ego then why are you discussion it?

And just because I’m quoting one author doesn’t mean that the other author was any more articulate. No, both of these authors reached deep inside of them and tapped their inner child to help them with their arguments.

It’s sad because at the root of this, you have two people who obviously know something about PHP and care about it. Both, in their own way are trying to affect it for the better. Sadly, both are also trying to make a name for themselves by tearing down others.

My advice to each of you. (DISCLAIMER: I’m just a humble programmer and part-time blogger. I am no expert and no self-appointed teacher. My motivation for offering you this advice is not to sell books to google ads, it’s to make my life easier by not having to wade through this crap to get to some real advice on PHP Security.)

1: Be transparent in your motives. The original article does not disclose that Chris Shiflett is a member of the organization or at least a friend of the author. If it had, that would have made the numerous references to his book less of an issue. It’s ok to promote the work of your members as long as it’s good and people know that’s what you are doing.

2: Be professional. A serious rebuttal to the OWASP article, devoid of the rants and self-promotion and backed up by peer-review would have been an excellent read. The one that was posted was neither serious nor peer-reviewed.

3: It’s not always about you. The second and third articles (as well as the comments) are more about ego than about PHP. Let’s try having a discussion about PHP for once that actually centers around PHP.

Until next time,

Insert Pithy Title Here

Dear reader,

I don’t often link to other blogs. Selfishly, I don’t want you leaving my page but in the grand scheme of things I figured if I found it, you have probably already found it too. With that in mind I want to point out 2 things.

First, if you are a programmer and you don’t read Joel On Software then shame on you. I don’t mean regularly, I mean daily! The same goes for managers of programmers. A daily dose of Joel will help life go a little smoother. Today Joel wrote something that just smacked me upside the head. He started off the article “Great Design” with the following:

You know those gorgeous old brownstones in New York City? With the elaborate carvings, gargoyles, and beautiful iron fences? Well, if you dig up the old architectural plans, the architect would often just write something like “beautiful fretwork” on the drawing, and leave it up to the artisan, the old craftsman from Italy to come up with something, fully expecting that it will be beautiful.

That’s not design. That’s decoration.

That borders on profound. It’s better advice than I’ve seen in a lot of books and a damn site better than any fortune cookie I’ve ever gotten. (And I am convinced that a lot of managers manage by fortune cookie…but that’s a theory for a different blog) Go read Joel. (Finish reading me first) Memorize Joel. Print that quote out and paste it on your wall. Staple it to the forehead of a recent “Graphics Design” graduate. (Go ahead…I’ll wait)

Second, I have very weird taste in music. My iPod contains everything from David Hamilton to Kiss. (with a very healthy dose of my favorite liberal wacko Jimmy Buffet…you are a musical genius Jimmy…keep your politics to yourself.) But I added a new artist last night that is just cool. “Panic At The Disco” is a hard driving rock, techno group. Now their web site is a study in horrible UI but their sound is downright addictive. After you get through trying to figure out their site, wander over here to listen to their music. If you don’t finish with a smile on your face, well, you probably don’t like “Alien Fashion Show” then either.

That’s it, just felt the need to share.

Until next time,


There is hope

Dear Reader,

Anyone who knows me or has been around me for more than 5 minutes knows that I rage against the Hollywood machine and basically all large corporations that spew forth the content that most of us lap up like dogs. I hate Hollywood because

1) As a whole it is out of touch with mainstream America
2) It creates ‘stars’ that then like to use their ‘star power’ to push their own agendas whatever they may be.
3) For movies, the theater experience is now so bad than even a good movie is usually ruined by the ass-holes around me.
4) Their content is grossly overpriced and they are much more impressed with their skills than I am.

I feel much the same way about the music industry. By-in-large, they generate formulaic content that is so pre-processed that it might as well have been sung, played or performed totally by computers. They are impressed enough with the crap they produce to have a plethora of awards shows in which they slap each other on the back and congratulate each other for doing such a wonderful job. Well at least they think it is wonderful, sales of albums are down again and it’s not because of piracy, it’s because what they are putting out is crap.

But wait dear reader, there is hope. That hope is not found in Caans or Sundance, it’s found in places like My daughter has an account there so I frequent it to see what she’s writing, drawing, excited about, etc. I love deviantart because it is a free and open market place. No one controls it, I am free to wander the content, looking for the pieces I like. There is no gate keeper to keep me from watching interesting, compelling and funny content.

I know there is hope because I ran across this today. It’s not the most compelling story line I’ve seen but it’s better than most of the shows on TV. It is however, well thought out, well put together and well produced. And even though thousands of people will see it just by virtue of it being on, it will not make the creator millions of dollars. It was produced out of love and a desire to create.

So take note Hollywood, your days are numbered. No longer do we have to settle for your over-priced over the air content or your DRM laden downloads. If you want my money in the future, come out with reasonable priced content that is interesting. Because if you don’t, someone else will.

Until next time,

p.s. The main website is and worth a look!

Syriana Sucks!

Dear Reader,

The title says most everything I wanted to say, except this. I think the wrong people are directing movies. Let the guy that makes the trailers make the movies. The trailer for Syriana looked great. Even though I knew it wasn’t. There is an inverse relationship to the quality of a movie and the number of high-profile actors in it. That plus the fact that the star produced this cinematic crap-fest.

Save your money. Sit at home for 2 hours with the remote control and watch 2 minutes of random TV shows hoping that the plots will somehow come together. Then turn on the lights and walk out of the room disapointed because they didn’t.

Until next time, it was good to hear your voice today.