About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

PHP Security Consortium

A little over a month ago, I mentioned the PHP security experiments that I've been conducting. I also solicited volunteers to help with my research.

Many gracious PHP experts from around the world have offered their aid. I did not expect such a response (nor all of the attention that this has received), but I appreciate everyone's interest. I want to keep this group small, and I want to make sure that I only involve people with high ethical standards, so I have chosen a handful of people that I know - either personally or by reputation (through their involvement with and/or contributions to the PHP community). This doesn't mean that I don't trust the others, and it's very likely that more people will have a chance to be involved later, because it looks like this may turn into something much more than a research group.

In addition to myself, the following people are volunteering their time to help promote sound security practices within the PHP community:

Because Ben is proposing a talk to be given at PHP Quebec that discusses our research, discoveries, and progress, we have chosen a name for the group - the PHP Security Consortium. We're still just a small group of people conducting some research, but now Ben has something to call us in his proposal.

In addition to conducting research, we have plans to provide several PEAR modules, improve a few others, generate plenty of documentation, and speak at user groups and conferences - all with the intention of educating the PHP community about security concerns (both old and new) and providing tools and best practices to help promote secure application development.

About this post

PHP Security Consortium was posted on Tue, 07 Dec 2004. If you liked it, follow me on Twitter or share:


1.Interesting effort but.... said:

Forgive my bluntness but isn't the name 'PHP Security Consortium' a 'big' name for such a small group? Seeing that a consortium is more a group of groups rather than a group of people.

I reckon a more modest name such as 'PHP Security Group' would add credibility and sympathy for this activity instead of seeming like a selected 'elite' with delusions of grandeur.

Titles aside, this sounds like an interesting effort which I hope will bring value to PHP and its community.

Wed, 08 Dec 2004 at 01:33:17 GMT Link

2.Chris Shiflett said:

The name is arbitrary. We could have discussed it in great detail, but we're more interested in other things.

In my opinion, PHP Security Group sounds at least as grand, plus the best way to earn respect is by contributing value to the community, not by choosing a great name.

> Titles aside, this sounds like an interesting effort which I hope will bring value to PHP and its

> community.

Me, too. :-)

Wed, 08 Dec 2004 at 01:46:10 GMT Link

3.trond said:

As I'm certain that education on "web security" is needed*, I'm glad to see work being done. I look forward to read the results :)

*An example: I've taken university-level programming classes (and also worked as teaching assistant ("web programming with PHP"-course)) and security is def. not taken seriously enough. Things as simple as data-filtering and/or "protecting" against SQL injections are not given high priority, and sometimes not even mentioned (at least not in Norway).

Mon, 13 Dec 2004 at 00:53:32 GMT Link

4.Patrick Reilly said:

I am looking forward to the great PEAR modules from this team of pros... Good work guys, keep it up!

Wed, 22 Dec 2004 at 21:13:45 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.