In response to some of the claims made by CNet about the security of PHP, Ken Guest has made a few comments on his blog hoping to correct a few wrongs.

What are featuring in IBM's top ten of vulnerable that makes the report insinuate that the PHP language is a security risk are Jooma, Wordpress and Drupal. How PHP would feature in a list of "vendors" is beside the point.

He illustrates with an allegory that it's not the tool's fault if it's used improperly. Pointing out software like WordPress and Drupal is not the same as pointing out issues with the language that powers them (no matter how trendy it is). The burden is on the developers to use the power the language offers to create more secure, flexible, stable applications. Does PHP have its share of problems? Sure, but get it right next time CNet - don't blame the tool if the builder's not up to spec.

Ivo Jansch mentions an interesting comparison that CNet made on security and levels of vulnerability in a new blog post today. Their article mentions PHP right along side Apple and Microsoft in their list of "most vulnerable software".

This article once again demonstrates the cluelessness that some people have regarding what PHP is. First of all, PHP is not a vendor, so "Apple, Microsoft & PHP" does not make much sense. Furthermore, the only reason PHP even is mentioned in this context is that Joomla, Drupal and Wordpress appear in the list. So PHP, a programming language, gets blamed for the security flaws that are in these packages.

By their logic (applications written in a language on the list means the language is more insecure), they should have marked C as a more insecure language given the ratio of PHP to C software.

On the Developer Tutorials site today, there's a new look at working with the Drupal e-Commerce module in your Drupal installation.

What if you [also] want to support collaborative editing of content, community forums, and other capabilities that could help increase traffic to your site, but are usually only found in content management systems (CMSs)? Is it possible to combine the best of both worlds - shopping carts and CMSs? Fortunately, the answer is yes, if you choose a world-class CMS such as Drupal as a foundation for your site.

They walk you through how to get the module installed, how to configure it to match with your site's layout and flow and how to hook the purchase process into PayPal to make purchasing a few simple user clicks away.

Via Terry Chay's blog

The PHPClasses.org website has posted a new book review about the Packt Publishing offering "Drupal: Creating Blogs, Forums, Portals and Community Websites" (book by David Mercer, review by Zoltan Hunt).

This Packt book takes the reader through installing the Drupal software, configuring and theming, adding content and deploying a Web site. It is aimed at the end user who is looking to setup and customize Drupal's themes, but not actually write their own modules, which would be a topic for book on its own.

The review talks about some of the origins of the content management system, the contents of the book (use cases, introductions to the functionality, etc) and how to manage your site.

On the Developer Tutorials site today, there's a new article post from Michael Ross walking you through the installation and creation of an online newsletter with the Drupal content management system.

There is a much better approach [than mass emails], and that is the use of a Web site that houses the newsletter and also limits reader access to paying subscribers. The ideal tool for creating such a site, is a content management system (CMS), such as Drupal, which is what we will be using in this tutorial. Specifically, we will explore how to use a forum for organizing the newsletter contents and allowing subscriber feedback, and also how to use a Drupal module for controlling subscriber access.

There's not really much in the way of actually installation help (that's what Drupal's documentation is for anyway), but he does talk about how it's initially set up, the subscription method and how to add an access-protected forum to the site to hold the newsletter information.

On the Paranoid Engineering blog, there's a recent post with a "CMS battle" of sorts between two of the more popular PHP-based content management systems out there - Drupal and Joomla.

It's hard to choose which one to use without trying them out. As usually, there are more options - home grown custom programming or even building your own CMS (which I was once stupid enough to do). Programming from scratch is always fun and beneficial for your skills, however, if you need things up and running in no time or you don't do (or don't want to do) any programming, using a CMS is the way to go.

His vote is for Drupal but he's included a long list of specs comparing the features of both so you can decide for yourself on which is the better fit.

On the Zend Developer Zone, there's a new article/tutorial showing how to keep things in sync on your Drupal installation with the help of Adobe AIR.

Whether you're an enterprise developer working in a large shop or setting up a blog for yourself, you've almost certainly been tasked with keeping your development code in sync with some type of stable release. Whether a project is big or small, you still need to ensure that the core code you work with remains consistent.

The tutorial walks you through the setup of a basic AIR application, how to pull the configuration XML into it and parsing it to use in the interface. The next step is the sync, grabbing your config and pushing it out to other multiple configs across your sites (via a REST service).

Larry Garfield talks about a new feature of Drupal 7 in a new post to his blog - the new introspective code registry that's been introduced in this latest version.

As a GHOP Task , Cornil did a performance analysis of Drupal and found its two largest performance drains were the bootstrap process and the theming layer. Quite simply, Drupal spends too much time including code. [...] Fortunately, Drupal 7's self-learning code registry system has just landed, which should obliterate most of the wasted bootstrap cost.

Larry describes the "heart of it all", the token_get_all call, that parses through an entire PHP file, splitting out things like classes included and functions called. This is passed through a function_exists call to the current script and, if it's already there, the file isn't included repetitively.

PHPEveryDay.com has posted a few more tutorials today covering configuring Drupal for your site:

• Drupal Configuration: Site Maintenance
• Drupal Configuration: File System
• Drupal Configuration: Boosting performance by Caching
• Drupal Configuration: Setting Date and Time
• Drupal Configuration: Looking Error Report Log
• Drupal Configuration: Error Handling
• Drupal Configuration: General Setting
• Drupal Configuration: Login to Administration Page

Check out PHPEveryDay for more great PHP-related tutorials.