Shopping cart other than OSCommerce?
Jonathan McKeown
j.mckeown at ru.ac.za
Thu Dec 9 06:54:49 UTC 2010
On Thursday 09 December 2010 01:07:38 Kevin Kinsey wrote:
> Chuck Swiger wrote:
> > You don't magically get immunity from SQL injection by using
> > JDBC or EOF or whatever, but using bound variables in queries rather
> > than feeding user input into raw SQL, or invoking stored procedures
> > or user-defined functions instead will mitigate one of the more
> >
> > common security problems.
>
> And these practices are "Good Practice" in any language, including
> PHP. I think a big part of PHP's problem was [... documentation]
I don't think it was just documentation. Perl, for example, comes with a
standard way to access databases, DBI, which has good practices like binding
variables in queries, escaping of input and output and so on, baked in.
PHP comes with builtin functions for accessing MySQL databases, which do
nothing at all to help the programmer make sensible decisions and follow best
practice.
There are database abstraction modules for PHP as far as I know, but if
someone decides not to use them, is it still as hard as it was to do things
safely using the builtin mysql_* functions?
Jonathan
More information about the freebsd-questions
mailing list