Python or PHP?
John Bokma
postmaster at castleamber.com
Sat Apr 23 22:51:59 EDT 2005
Leif K-Brooks wrote:
> Peter Ammon wrote:
>> I'm bewildered why you haven't mentioned magic quotes. A one line
>> change to the configuration file can render your PHP site almost
>> entirely immune to SQL injection attacks.
>
> PHP's magic quotes is one of the most poorly-designed features I can
> think of. Instead of magically escaping only strings which will actually
> be passed to a database (like Python's DB-API does), it escapes every
> string that comes from the user, meaning that strings which will be sent
> back to the user have to be manually unescaped.
Yup, I recently downloaded a script that required grc_magic_quotes (IIRC
the name) to be *off*
I looked it up, and one has to do such a thing in the ini (!!!) file.
> Even worse, since it can be turned on and off, code which is designed
> for a magic_quotes=on environment will become seriously vulnerable when
> moved to an environment with magic_quotes on. Security-related features
> should never be toggleable!
Amen.
And quite some people who nowadays install PHP scripts are the same ones
who reply to questions like "My messenger program doesn't work" with "Did
you disable the firewall?".
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
More information about the Python-list
mailing list