Python or PHP?
Leif K-Brooks
eurleif at ecritters.biz
Sat Apr 23 22:17:49 EDT 2005
Peter Ammon wrote:
> I'm bewildered why you haven't mentioned magic quotes. A one line
> change to the configuration file can render your PHP site almost
> entirely immune to SQL injection attacks.
PHP's magic quotes is one of the most poorly-designed features I can
think of. Instead of magically escaping only strings which will actually
be passed to a database (like Python's DB-API does), it escapes every
string that comes from the user, meaning that strings which will be sent
back to the user have to be manually unescaped.
Even worse, since it can be turned on and off, code which is designed
for a magic_quotes=on environment will become seriously vulnerable when
moved to an environment with magic_quotes on. Security-related features
should never be toggleable!
More information about the Python-list
mailing list