[H-GEN] Server-side Aggregator
Michael Anthon
michael at anthon.net
Thu Feb 23 21:48:50 EST 2006
On 2/24/06, Stephen Thorne <stephen.thorne at gmail.com> wrote:
>
> The fundamental problem, as I see it, is the way how php makes it very
> easy to do the wrong thing, while the right way is long winded and not
> very obvious:
I don't necessarily disagree with this apart from the blaming PHP part.
It's really MySQL's fault in my mind. There wasn't even the concept of
binds in MySQL's API until 4.1.2 (I think). Mind you, PHP should have
implemented this as soon as it was available and I don't think it has been
implemented yet. As I said, you can write exactly the same problems into
your code in any number of other languages. It is not strictly a problem of
PHP's but a problem of the MySQL API. It's also quite possible to code the
same problems into systems using other database libraries as well but the
better ones provide the means to avoid this very simply (I use Oracle...
Oracle's binds are great)
Any programmer that uses data supplied from untrusted sources without
performing some sort of validation/cleansing/escaping IN ANY LANGUAGE should
be taken out the back and shown the error of their ways.
Cheers,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20060224/88295a60/attachment.html>
More information about the General
mailing list