Python or PHP?

[Jeremy Bowers]

On Sat, 23 Apr 2005 20:13:24 +0200, Mage wrote:
> Avoid them is easy with set_type($value,"integer") for integer values and
> correct escaping for strings.

"Avoiding buffer overflows in C is easy, as long as you check the buffers
each time."

The *existence* of a technique to avoid problems is not in question. The
problem is when the language makes it easier to *not* do the checks than
to do the checks. Any look at the real world shows that that pattern
causes trouble, and that clearly, the mere *existence* of a way to not get
in trouble is not sufficient in the general case.

Despite the fact that all you have to do to avoid cutting your finger off
with a saw is not stick your finger in the saw, most people, even
carpentry professionals, are going to want to use finger-guards and other
safety equipment. A programmer turning down such security protection
(without another good reason, which does happen), is being like the guy
too macho to use the finger guard; stupidity induced by arrogance, not
some one no longer using training wheels. Using PHP and futzing with SQL
directly is probably not a good enough reason, as surely PHP has safer
libraries available. (If not, my opinion of PHP goes down another notch.)

Data binding with something like SQLObject makes it *easier* to be secure
than insecure; barring an out-and-out bug in SQLObject (given the nature
of the requisite bug, it is extremely unlikely to have survived this
long), a programmer must go *way* out of their way to introduce the SQL
injection attacks that so plague PHP projects.