> What other popular languages silently convert strings to floats and then do math or floating-point comparisons on them?
JavaScript. Most of the "issues" around comparisons/conversions/etc equally applies to JavaScript as it does to PHP.
But PHP does some very stupid casts but it's really just one problem. In the lists of "failures" tend to show that same problem 15 different ways to show how screwed up things are. If your code is well designed and secure you don't encounter these problems anyway.
> What other popular languages have literally hundreds of failing unit tests in their mainline implementation...
I'll give you that. Since that happened, the PHP developers have worked to ensure it won't happen in the future. No platform is free of particularly big security fails (Rails).
Yes, JavaScript has the same string comparison problems as PHP. And it gets a ton of criticism for it. JS doesn't have all these other problems, though.
For the unit tests, it looks like there are still 100 unexpected failures in the latest release:
Yes, no platform is free of security problems. But the way a security problem happens is as important as what the problem is. That PHP's unit tests are so noisy that important regressions can't even be noticed even when a test exists to catch them speaks extremely poorly of PHP compared to other languages.
I actually clicked on several of those failed tests and there doesn't seem to be anything critical there. Looks like some access problems (test setup) and at least one needed the test to be updated.
I'm not sure when these where run but it would be easy for someone went through all of them and give them a pass. A failed test doesn't necessarily mean that deployment should be held up. 700 failed tests is a different story.
> JS doesn't have all these other problems, though.
JavaScript has plenty of it's own problems. It has legacy things you should never do. PHP has different problems (not necessarily worse ones) and things you should never do. Lists of the horrors of PHP generally include all things you shouldn't ever do mixed together to make it look much worse than it really is.
I've seen similar lists made for JavaScript (you can get some really crazy results) but that doesn't mean shit for day to day use.
The fact that the tests would be easy to fix makes it worse, no better. The problem the tests and the security hole was not that the tests indicated severe problems, but that all these simple failing tests masked the presence of a new, serious failure. If your test output is filled with junk due to failing tests because of minor bugs, it makes it much harder to notice when your tests uncover a major regression.
> The fact that the tests would be easy to fix makes it worse, no better.
Somebody has to fix them; these things don't happen instantly.
Given the fact that they had hundreds of failed test cases and now they only a few is a significant improvement -- and this is while development has continued. They realized the problem just as you describe; there isn't much more to say about it except they're working to fix it.
JavaScript. Most of the "issues" around comparisons/conversions/etc equally applies to JavaScript as it does to PHP.
But PHP does some very stupid casts but it's really just one problem. In the lists of "failures" tend to show that same problem 15 different ways to show how screwed up things are. If your code is well designed and secure you don't encounter these problems anyway.
> What other popular languages have literally hundreds of failing unit tests in their mainline implementation...
I'll give you that. Since that happened, the PHP developers have worked to ensure it won't happen in the future. No platform is free of particularly big security fails (Rails).