Thread

I’m concerned about using ExpressionEngine because of the fact that it requires PHP. PHP has a horrible security track record and many security bugs have still not been fixed since the ‘Month of PHP bugs’ earlier this year.  This is 1 reason why I would like to run Expression Engine using Quercus from Caucho - which is a PHP implementation written in Java. Would EE work with this? Any other customers using EE with Quercus?

One other comment: the portion of your Manual that talks about CAPTCHA is somewhat misleading. CAPTCHA do raise the bar slightly and may act as a deterrent to unmotivated spammers/etc - but they are defeatable. It is simply not true that ‘OCR’ image analysis software can be easily fooled by introducing distortions into the image.  In fact - most CAPTCHA implementations have already been defeated.

For example see:
http://www.cs.sfu.ca/~mori/research/gimpy/
http://sam.zoy.org/pwntcha/

The security track record of ExpressionEngine is stellar, and particularly when you compare it against comparable systems.  Your question was more relating to PHP security in the broadest sense, and in that respect the main thing you can do is choose an excellent host who takes security very seriously.  EngineHosting is a good example of such a host, but there are others.

I have no experience with Quercus, and can’t speak to how EE would run in such an environment.

re the Captcha, thanks for your input. We recognize that there is no such thing as “perfect” security, and nobody here would pretend that Captchas cannot be defeated, however they are a part of the equation of combating automated bots, and thus we offer them, among many, many other features aimed to ensure an expressionengine site runs as smoothly as possible.