When a server is not well configured and the system administrator didn’t make his job correctly, there is no reason to blame PHP. It’s not in defense of the PHP scripting language, but to be realistic and to give to Ceasar what belongs to Ceasar!
Mod_php problem is well known for system admins and if you used to deal with high traffic websites, it’s something very common to face and to resolve also. Personally during my 7-8 years of experience with PHP, I never faced such problems, even with very high traffic of one million unique visitors a day and more !
Nik Cubrilovic who posted the news on TechCrunch, posted on his blog also tips to prevent “PHP Leakage“. Most easy way is using mod_security to filter output and prevent any leakage, which I find the most efficient way. Code that lives outside or inside the webroot doesn’t matter much. I better recommend using PEAR if you want that your script stay out of the webroot, the classes at least. I’m curious to hear other expert’s opinion on the subject, especially since it’s the case of a very popular website such Facebook.
