May is the “Month of PHP Security,” and 20 security flaws have been found in the open source PHP language itself, as well as, in PHP applications.
More than half of the bugs affect PHP itself. For example, the PHP functions preg_quote() and html_entity_decode() have what’s called an interruption information leak vulnerability discovered by Stefan Esser.
The Month of PHP Security is a continuation of “the effort of Hardened-PHP’s Month of PHP Bugs in 2007 to improve the security of PHP and the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on the one hand and on the other hand by publishing articles and tools that help PHP application developers to develop more secure PHP applications.”
In addition to security bug notices, the group also publishes articles about how to write secure PHP applications.
One article every PHP developer should read is “Generating Unpredictable Session IDs and Hashes” by Jordi Boggiano.