From owner-freebsd-questions@FreeBSD.ORG Fri Jul 4 02:20:23 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 138DF37B401 for ; Fri, 4 Jul 2003 02:20:23 -0700 (PDT) Received: from juice.thebigchoice.com (pc1-nott2-3-cust18.nott.cable.ntl.com [80.4.204.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 23C5F43FF7 for ; Fri, 4 Jul 2003 02:20:21 -0700 (PDT) (envelope-from matt@proweb.co.uk) Received: (qmail 69998 invoked from network); 4 Jul 2003 09:20:21 -0000 Received: from unknown (HELO proweb.co.uk) (192.168.1.100) by juice.thebigchoice.com with SMTP; 4 Jul 2003 09:20:21 -0000 Message-ID: <3F0546D5.1020106@proweb.co.uk> Date: Fri, 04 Jul 2003 10:20:21 +0100 From: matt User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030425 X-Accept-Language: en, en-us MIME-Version: 1.0 References: <20030702201929.79497.qmail@web12604.mail.yahoo.com> <07e301c340ec$1159e770$1b41d5cc@nitanjared> <3F03FB8A.9080700@thebigchoice.com> <200307041026.47024.jrhoden@unimelb.edu.au> <20030704072303.GA69059@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20030704072303.GA69059@happy-idiot-talk.infracaninophile.co.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: questions@freebsd.org Subject: Re: Which server-side programming should i choose. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2003 09:20:23 -0000 Matthew Seaman wrote: >On Fri, Jul 04, 2003 at 10:26:47AM +1000, JacobRhoden wrote: > > >>Even though this is getting waaay off topic... >> >> On Thu, 3 Jul 2003 07:46 pm, Matt Heath wrote: >> > Ever seen something like this : >> > $r = mysql_execute("select * from table_1 where id=$_GET[id];"); >> >>Actually people do do the same thing and perl and you know it :P Both perl and >>php support calling sql with parameters using ? to insert variables. If >>someone does not know what language to use at all, I would suggest php simply >>because its a good, quick, easy language to get started in without too much >>difficulty. (In lots of ways including not needing to understand cgi >>variables, and what the heck Content-type: text/html\n\n is, or learning how >>to include perl librarys to do all that stuff for you!) >> >> > >You're missing the point. $_GET[id] is one of the arguments used when >calling the PHP and as such is completely under the control of an >external user. > exactly perl has the "tainted" construct for this and will refuse certain operations with tainted data. But my challenge was Kevin Kinsey's assertion : > [PHP is] likely to be more secure than Perl if used as Apache module than CGI. and I want to know why ?