Date: Thu, 9 Dec 2010 08:54:45 +0200 From: Jonathan McKeown <j.mckeown@ru.ac.za> To: freebsd-questions@freebsd.org Subject: Re: Shopping cart other than OSCommerce? Message-ID: <201012090854.46025.j.mckeown@ru.ac.za> In-Reply-To: <4D000FBA.8040908@daleco.biz> References: <3374599093-437630056@intranet.com.mx> <2BE7EA7A-8604-4D21-801C-309447CD54F9@mac.com> <4D000FBA.8040908@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 09 December 2010 01:07:38 Kevin Kinsey wrote: > Chuck Swiger wrote: > > You don't magically get immunity from SQL injection by using > > JDBC or EOF or whatever, but using bound variables in queries rather > > than feeding user input into raw SQL, or invoking stored procedures > > or user-defined functions instead will mitigate one of the more > > > > common security problems. > > And these practices are "Good Practice" in any language, including > PHP. I think a big part of PHP's problem was [... documentation] I don't think it was just documentation. Perl, for example, comes with a standard way to access databases, DBI, which has good practices like binding variables in queries, escaping of input and output and so on, baked in. PHP comes with builtin functions for accessing MySQL databases, which do nothing at all to help the programmer make sensible decisions and follow best practice. There are database abstraction modules for PHP as far as I know, but if someone decides not to use them, is it still as hard as it was to do things safely using the builtin mysql_* functions? Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012090854.46025.j.mckeown>