From owner-freebsd-questions@FreeBSD.ORG Thu Dec 9 06:54:49 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C76A5106564A for ; Thu, 9 Dec 2010 06:54:49 +0000 (UTC) (envelope-from j.mckeown@ru.ac.za) Received: from d.mail.ru.ac.za (d.mail.ru.ac.za [IPv6:2001:4200:1010::25:4]) by mx1.freebsd.org (Postfix) with ESMTP id CCF848FC0A for ; Thu, 9 Dec 2010 06:54:48 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ru-msa; d=ru.ac.za; h=Received:From:Organization:To:Subject:Date:User-Agent:References:In-Reply-To:X-Face:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-Disposition:Message-Id:X-Virus-Scanned:X-Authenticated-User; b=hTQbgWD7conEtJr7N/OUJorgNxt5Js9EwNaheJ1zrjXXNczLVJCtox2lza6BSRWlZdNTNZ/uKZjSCbcHQOpuw7/ARidd5EOfdMYqVVJvU07FIZLDbIZ0oqlcdqTJTw24; Received: from vorkosigan.ru.ac.za ([2001:4200:1010:1058:219:d1ff:fe9f:a932]:61959) by d.mail.ru.ac.za with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1PQaOs-0004hF-BF for freebsd-questions@freebsd.org; Thu, 09 Dec 2010 08:54:46 +0200 From: Jonathan McKeown Organization: Rhodes University To: freebsd-questions@freebsd.org Date: Thu, 9 Dec 2010 08:54:45 +0200 User-Agent: KMail/1.9.10 References: <3374599093-437630056@intranet.com.mx> <2BE7EA7A-8604-4D21-801C-309447CD54F9@mac.com> <4D000FBA.8040908@daleco.biz> In-Reply-To: <4D000FBA.8040908@daleco.biz> X-Face: $@VrUx^RHy/}yu]jKf/<4T%/d|F+$j-Ol2"2J$q+%OK1]&/G_S9(=?utf-8?q?HkaQ*=60!=3FYOK=3FY!=27M=60C=0A=09aP=5C9nVPF8Q=7DCilHH8l=3B=7E!4?= =?utf-8?q?2HK6=273lg4J=7Daz?=@1Dqqh:J]M^"YPn*2IWrZON$1+G?oX3@ =?utf-8?q?k=230=0A=0954XDRg=3DYn=5FF-etwot4U=24b?=dTS{i X-Virus-Scanned: d.mail.ru.ac.za (2001:4200:1010::25:4) X-Authenticated-User: s0900137 from vorkosigan.ru.ac.za (2001:4200:1010:1058:219:d1ff:fe9f:a932) using auth_plaintext Subject: Re: Shopping cart other than OSCommerce? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2010 06:54:49 -0000 On Thursday 09 December 2010 01:07:38 Kevin Kinsey wrote: > Chuck Swiger wrote: > > You don't magically get immunity from SQL injection by using > > JDBC or EOF or whatever, but using bound variables in queries rather > > than feeding user input into raw SQL, or invoking stored procedures > > or user-defined functions instead will mitigate one of the more > > > > common security problems. > > And these practices are "Good Practice" in any language, including > PHP. I think a big part of PHP's problem was [... documentation] I don't think it was just documentation. Perl, for example, comes with a standard way to access databases, DBI, which has good practices like binding variables in queries, escaping of input and output and so on, baked in. PHP comes with builtin functions for accessing MySQL databases, which do nothing at all to help the programmer make sensible decisions and follow best practice. There are database abstraction modules for PHP as far as I know, but if someone decides not to use them, is it still as hard as it was to do things safely using the builtin mysql_* functions? Jonathan