On Sat, 23 Apr 2005 20:13:24 +0200, Mage wrote: > Avoid them is easy with set_type($value,"integer") for integer values and > correct escaping for strings.
"Avoiding buffer overflows in C is easy, as long as you check the buffers each time." The *existence* of a technique to avoid problems is not in question. The problem is when the language makes it easier to *not* do the checks than to do the checks. Any look at the real world shows that that pattern causes trouble, and that clearly, the mere *existence* of a way to not get in trouble is not sufficient in the general case. Despite the fact that all you have to do to avoid cutting your finger off with a saw is not stick your finger in the saw, most people, even carpentry professionals, are going to want to use finger-guards and other safety equipment. A programmer turning down such security protection (without another good reason, which does happen), is being like the guy too macho to use the finger guard; stupidity induced by arrogance, not some one no longer using training wheels. Using PHP and futzing with SQL directly is probably not a good enough reason, as surely PHP has safer libraries available. (If not, my opinion of PHP goes down another notch.) Data binding with something like SQLObject makes it *easier* to be secure than insecure; barring an out-and-out bug in SQLObject (given the nature of the requisite bug, it is extremely unlikely to have survived this long), a programmer must go *way* out of their way to introduce the SQL injection attacks that so plague PHP projects. -- http://mail.python.org/mailman/listinfo/python-list
