Shopping cart other than OSCommerce?

Jonathan McKeown j.mckeown at
Thu Dec 9 06:54:49 UTC 2010

On Thursday 09 December 2010 01:07:38 Kevin Kinsey wrote:
> Chuck Swiger wrote:
> > You don't magically get immunity from SQL injection by using
> > JDBC or EOF or whatever, but using bound variables in queries rather
> > than feeding user input into raw SQL, or invoking stored procedures
> > or user-defined functions instead will mitigate one of the more
> >
>  > common security problems.
> And these practices are "Good Practice" in any language, including
> PHP.  I think a big part of PHP's problem was [... documentation]

I don't think it was just documentation. Perl, for example, comes with a 
standard way to access databases, DBI, which has good practices like binding 
variables in queries, escaping of input and output and so on, baked in.

PHP comes with builtin functions for accessing MySQL databases, which do 
nothing at all to help the programmer make sensible decisions and follow best 

There are database abstraction modules for PHP as far as I know, but if 
someone decides not to use them, is it still as hard as it was to do things 
safely using the builtin mysql_* functions?


More information about the freebsd-questions mailing list