On 05/28/2014 08:06 AM, Stuart Jansen wrote:
That's not entirely true. The risk is much higher when you're using an API created by people who think functions like addslashes() are a good idea.
I think that originally, PHP tried to take the minimalist approach as a language, and just create the functions needed for others to create libraries around. The reality is that a lot of bad libraries were created (many companies wrote their own), until they changed direction and started providing more full-featured APIs like PDO and MySQLi.
As a database and web security guy, I think the current direction is definitely a better course. I agree that a lot of the current PHP-hatred could have been avoided by making that decision much earlier, and I wish they would have.
However, the original intent was to basically provide wrappers for C functions. The real problem was that it was so easy to use, that people who weren't trained C programmers were using it, and they didn't have the knowledge or experience to use it correctly. I don't think that necessarily makes them idiots for including addslashes(), just stubborn.
If you're going to bash a decision regarding slashes in PHP, it's much easier to bash magic quotes. I think that was an attempt to maintain the simple C-wrapper style of PHP, while protecting the idiots who were using it, but it just made things worse.
Steve /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
