I wouldn't call this an attack on PHP. It is a critique of a
philosophy. From the same article:
Q: Are you saying that sites built with open source tools like PHP
are more vulnerable to SQL injection attacks than sites built
with .Net?
A: It's a question of mentality. Microsoft's mindset is to fix
things in such a way that the user doesn't have so much control and
is therefore less vulnerable. The open source tools like PHP have a
different philosophy. They assume that users know what they are
doing and want to be free of constraints, so these tools let users
do what they want but at their own risk. The open source tools
assume that developers these days are aware of the threat of SQL
injection and will do the right thing.
It's about different approaches to the balance between ease-of-use
and flexibility.
The holy grail is a solution that provides both. Somewhere down the
line there has to be code that generates the SQL. The real challenge
is where that code goes. Does it happen inside a framework of some
kind that takes care of all the escaping in a tested and reliable
way, or do you generate the SQL higher up in your scripts adding the
flexibility needed for complex joins and query optimization.
Ken Wrote:
Applying security in the database renders you structurally immune
from SQL injection.
Can you elaborate on this? I'm always intrigued by your DB-centric
slant.
-- Dell
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
