> infinite number of websites built in PHP and never got hacked!
If I look at the logs of my webservers and scan for bots trying to exploit some vulnerability, I would guess that 80%+ of the URLs would indicate a PHP-based webapp. So, yeah, there are many that never got hacked but there are certainly a good amount of PHP apps that have some vulnerability. Should we blame all the developers who were "doing it wrong" or should we at least make sure that the language is not facilitating such shots-in-their-feet?
But php has been around on the web for a long time as well, so there are a lot of unpatched softwares out there like WordPress.
Probably near 99% of those compromised servers run on Linux, so by your logic, Linux is much more secure than windows servers, right?
You'd have to assume that there is an uniform distribution of vulnerabilities and exploits through the whole set of languages used for web development for that to hold. You are begging the question.
> 99% of those compromised servers run on Linux
If the exploits manage to give the attacker root access to the OS, then yes it would be the problem of the OS. But the attack is to get access to the application. So the issue is at the application, not at the OS. You can argue that this is not the fault of the language, though. However given that a whole lot of the PHP defenders here are using "it is the easiest one to deploy" argument, one has to wonder if a platform that makes it so easy to deploy apps should also be held up for the issue of insecure apps based on it.
