Python or PHP?
John Bokma
postmaster at castleamber.com
Sat Apr 23 18:04:48 EDT 2005
Leif K-Brooks wrote:
> Mage wrote:
>> However one of the worst cases is the sql injection attack. And sql
>> injections must be handled neither by php nor by python but by the
>> programmer.
>
> But Python's DB-API (the standard way to connect to an SQL database
> from Python) makes escaping SQL strings automatic. You can do this:
>
> cursor.execute('UPDATE foo SET bar=%s WHERE id=%s', ["foo'bar", 123])
>
> And "foo'bar" will be implicitly escaped to whatever is appropriate
> for your database. How's that for Python handling SQL injection
> automatically?
Not. Perl and Java use similar methods where one can specify place holders,
and pass on the data unescaped. But still injection is possible. Moreover,
a programmer still has to check if the values are acceptable or not.
AFAIK PHP is not able to do this, but goes at great length to "protect"
newbie programmers at great length, and hence give them a false feeling of
security. Defensive programming or a defensive programming language is
wrong.
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
More information about the Python-list
mailing list