Hi, Ted,

That was me.  No offense meant... in fact, I was complaining about Ruby at
the time :).  In PHP, the session data you save off is identical to what you
get back.  This is not so in Ruby.

Part of the 'problem' is Ruby's tainting mechanism.  PHP doesn't have a
tainting mechanism (or didn't last time I checked:
http://www.phparchiv.de/buecher/professionalphp/29632007.htm says the same).
So, while this tainting mechanism gets in the way sometimes, I have found
that it usually gets in my way when I need it to:  when something insecure
is happening.  All in all, I certainly choose it over the PHP way of just
not having tainting at all.

I'm no expert on this, though, so take my opinion for what it's worth!

Incidentally, PHP has had some pretty bad security problems in the past
(that whole "make posted values into global variables" thing, for
instance... trace_vars, was it called?), and while it seems to be playing
catchup admirably, Ruby has been solid from the beginning (as far as I
know).

Having recently switched from PHP to Ruby (running in mod_ruby), I couldn't
be happier!  Tainting *alone* is worth the switch, IMHO.  The only real
problem in Ruby that I never had to worry about was my session data not
coming back the way I left it.  Irritating, yes, but not that hard to work
around.

Dissenting opinions welcome,

Chris