[BangPypers] [ANN][X-Post] SciPy India conference in Dec. 2009

Anand Balachandran Pillai abpillai at gmail.com
Sat Oct 10 09:01:20 CEST 2009 

Hi,

On Sat, Oct 10, 2009 at 10:46 AM, Noufal Ibrahim <noufal at gmail.com> wrote:

> 0 day Django exploit in the wild -
> http://news.ycombinator.com/item?id=872533
> http://www.djangoproject.com/weblog/2009/oct/09/security/
>
> Fixed rather quickly but found rather late. One of the reasons is
> probably because of the comparatively smaller user base. If Django had
> the same number of users as Drupal, I expect a lot more to be visible.
>
> Also, I don't think that merely *using* PHP means that your site is
> less secure. That's a tad too simplistic for my tastes. And I'm also
> willing to bet that if I did have to use PHP, using something like
> Drupal would be a lot more secure than deploying a home brew CMS.
>

  Not exactly. There is some truth in saying that PHP is a less secure
  language overall when compared to Python. The reasons are up from
  design itself. PHP was designed ground up as a language for the web
  which means web development features are built directly into the core
  language as opposed to Python where these are provided by add-on
  modules. It does not take a lot of effort to connect security issues of
  PHP with this fact. This is what makes PHP powerful as well as
  vulnerable.

   For example, this is a very common way of doing a select using PHP.

  $query = "SELECT * FROM products WHERE name=’$productname’";
   mysql_query <http://www.php.net/mysql_query>($query);

  Only that this kind of SQL is very vulnerable to SQL injection attacks
because
  $productname can be replaced with malicious SQL code from outside.

  The correct way to do this would be,

  $query = sprintf <http://www.php.net/sprintf>("SELECT * FROM products
WHERE name=’%s’",
   mysql_real_escape_string <http://www.php.net/mysql_real_escape_string>(
$productname));
   mysql_query <http://www.php.net/mysql_query>($query);

 However, in Python due to some features like multiline strings and
 templating using a dictionary, these kind of issues are more easily
avoided.

 example

 query="""SELECT * from Products WHERE name=%s AND timestamp>=%s"""
 cursor.execute(query % ('burger', '2009-09-10 12:00:00')

 It is not easy to use SQL injection against code like above so the
 default Python string templating is a bit more secure than the one
 provided by PHP.  You don't need to go through the pain of
mysql_escape_string  to escape the SQL params which is the solution
 offered in the PHP world.

 This is just one example. Basically it is a fact that the clean, minimal
  syntax of Python with no "hackish" features does make it a more
 secure language, if not intentional then accidental. Anyway it is good
  news for Python developers.


>
> There was a time when I used to maintain my entire website on my local
> machine as a bunch of text files using Muse for Emacs. Make edits as I
> wanted and then 'publish' the site. Not exactly cutting edge tech. and
> not very flexible but I'm guessing that static HTML pages have better
> security records than Django and Drupal. :)
>
>
>
> --
> ~noufal
> http://nibrahim.net.in
> _______________________________________________
> BangPypers mailing list
> BangPypers at python.org
> http://mail.python.org/mailman/listinfo/bangpypers
>



-- 
--Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/bangpypers/attachments/20091010/7536c377/attachment.htm>

More information about the BangPypers mailing list