From owner-freebsd-questions@FreeBSD.ORG  Wed Dec  8 18:14:58 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 418D41065670
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Dec 2010 18:14:58 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from asmtpout030.mac.com (asmtpout030.mac.com [17.148.16.105])
	by mx1.freebsd.org (Postfix) with ESMTP id 266628FC16
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Dec 2010 18:14:57 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=us-ascii
Received: from cswiger1.apple.com ([17.209.4.71])
	by asmtp030.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01
	(built Dec
	16 2008; 32bit)) with ESMTPSA id <0LD400IJ0G0XLN80@asmtp030.mac.com> for
	freebsd-questions@freebsd.org; Wed, 08 Dec 2010 10:14:57 -0800 (PST)
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0
	classifier=spam
	adjust=0 reason=mlx engine=6.0.2-1010190000 definitions=main-1012080109
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.2.15,1.0.148,0.0.0000
	definitions=2010-12-08_09:2010-12-08, 2010-12-08,
	1970-01-01 signatures=0
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <4CFF8A29.2030202@herveybayaustralia.com.au>
Date: Wed, 08 Dec 2010 10:14:56 -0800
Message-id: <2BE7EA7A-8604-4D21-801C-309447CD54F9@mac.com>
References: <3374599093-437630056@intranet.com.mx>
	<DB1524B8-BBC3-446C-A72A-59E981DD29B3@mac.com>
	<4CFED0D4.3090108@herveybayaustralia.com.au>
	<BFB6697B-9EB5-456B-8C10-481C8DF174AA@mac.com>
	<4CFF8A29.2030202@herveybayaustralia.com.au>
To: Da Rock <freebsd-questions@herveybayaustralia.com.au>
X-Mailer: Apple Mail (2.1082)
Cc: freebsd-questions@freebsd.org
Subject: Re: Shopping cart other than OSCommerce?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 18:14:58 -0000

On Dec 8, 2010, at 5:37 AM, Da Rock wrote:
> Thanks for the heads up. What language do you recommend then based on these security reports?

Well, I've been implementing online stores and content-management/publishing systems written in Java and Objective-C for quite a while, so I'm biased towards those.  If I were starting over from scratch today, Ruby or Python would probably enter into the picture for consideration.  (Of course, Python threading runs into the GIL issue limiting true concurrency, and the only Ruby implementation around which does better is JRuby, which is Ruby implemented on top of Java.)

You don't magically get immunity from SQL injection by using JDBC or EOF or whatever, but using bound variables in queries rather than feeding user input into raw SQL, or invoking stored procedures or user-defined functions instead will mitigate one of the more common security problems.

Regards,
-- 
-Chuck