Hi, On Sat, Oct 10, 2009 at 10:46 AM, Noufal Ibrahim <nou...@gmail.com> wrote:
> 0 day Django exploit in the wild - > http://news.ycombinator.com/item?id=872533 > http://www.djangoproject.com/weblog/2009/oct/09/security/ > > Fixed rather quickly but found rather late. One of the reasons is > probably because of the comparatively smaller user base. If Django had > the same number of users as Drupal, I expect a lot more to be visible. > > Also, I don't think that merely *using* PHP means that your site is > less secure. That's a tad too simplistic for my tastes. And I'm also > willing to bet that if I did have to use PHP, using something like > Drupal would be a lot more secure than deploying a home brew CMS. > Not exactly. There is some truth in saying that PHP is a less secure language overall when compared to Python. The reasons are up from design itself. PHP was designed ground up as a language for the web which means web development features are built directly into the core language as opposed to Python where these are provided by add-on modules. It does not take a lot of effort to connect security issues of PHP with this fact. This is what makes PHP powerful as well as vulnerable. For example, this is a very common way of doing a select using PHP. $query = "SELECT * FROM products WHERE name=’$productname’"; mysql_query <http://www.php.net/mysql_query>($query); Only that this kind of SQL is very vulnerable to SQL injection attacks because $productname can be replaced with malicious SQL code from outside. The correct way to do this would be, $query = sprintf <http://www.php.net/sprintf>("SELECT * FROM products WHERE name=’%s’", mysql_real_escape_string <http://www.php.net/mysql_real_escape_string>( $productname)); mysql_query <http://www.php.net/mysql_query>($query); However, in Python due to some features like multiline strings and templating using a dictionary, these kind of issues are more easily avoided. example query="""SELECT * from Products WHERE name=%s AND timestamp>=%s""" cursor.execute(query % ('burger', '2009-09-10 12:00:00') It is not easy to use SQL injection against code like above so the default Python string templating is a bit more secure than the one provided by PHP. You don't need to go through the pain of mysql_escape_string to escape the SQL params which is the solution offered in the PHP world. This is just one example. Basically it is a fact that the clean, minimal syntax of Python with no "hackish" features does make it a more secure language, if not intentional then accidental. Anyway it is good news for Python developers. > > There was a time when I used to maintain my entire website on my local > machine as a bunch of text files using Muse for Emacs. Make edits as I > wanted and then 'publish' the site. Not exactly cutting edge tech. and > not very flexible but I'm guessing that static HTML pages have better > security records than Django and Drupal. :) > > > > -- > ~noufal > http://nibrahim.net.in > _______________________________________________ > BangPypers mailing list > BangPypers@python.org > http://mail.python.org/mailman/listinfo/bangpypers > -- --Anand
_______________________________________________ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers
