This however is why I dont run any PHP on my servers - its security reputation used to be appalling.

To be fair, it's not PHP that's at fault, it's the applications and the server software. If an application is written properly then there are less chances of there being holes (and ASP is no different), though that doesn't by any way mean they will be untouchable. Also, there are a lot of servers out there that are not properly patched, or are using default passwords, which makes getting in pretty easy.

To be fair, it's not PHP that's at fault, it's the applications and the server software.
I'd certainly agree that badly written software is the primary issue & cause. Coding for security is difficult and not emphasised enough. I've certainly written server code in the past that has been dismally insecure because I didn't understand security principles, so I'm not going to have a go at anyone else. However the operating system and systems software also has a big role in this. PHP 4 , if I recall correctly, enabled access to global variables by default. That was often the attack vector, Nor was it possible to mark data as tainted. By contrast perl & Ruby (& I think python) permit this. So I think the choice of language has a role too.
I dont know if PHP5 has addressed these but I'm not prepared to give it the chance.

I get a nightly report from all our servers on all failed login and hack attempts - some days there are as much as 4500 attempts.

It's scary how usernames and passwords can be easily guessed.

Here is a link to our password generator in case anyone wants passwords quickly and easily..

http://www.matrixxhosting.com/pw/

Rob

The whole "global variables" problem was overated. Anyone who doesn't explicitly refer to the variables array is just being lazy :P. There aren't any security risks with PHP, just its implementations. I use PHP a lot, and on many sites I've developed, and have never had a problem. Simply restrict what filetypes can be uploaded, be sure you're asking for the variable type you want ($_GET,$_POST...), and put the fear of god into your users about making their passwords difficult to guess ;)

Likewise I use PHP a lot and so long as good practice is adhered to there isn't any real problems.