[BangPypers] [ANN][X-Post] SciPy India conference in Dec. 2009
Anand Balachandran Pillai
abpillai at gmail.com
Sat Oct 10 09:01:20 CEST 2009
Hi,
On Sat, Oct 10, 2009 at 10:46 AM, Noufal Ibrahim <noufal at gmail.com> wrote:
> 0 day Django exploit in the wild -
> http://news.ycombinator.com/item?id=872533
> http://www.djangoproject.com/weblog/2009/oct/09/security/
>
> Fixed rather quickly but found rather late. One of the reasons is
> probably because of the comparatively smaller user base. If Django had
> the same number of users as Drupal, I expect a lot more to be visible.
>
> Also, I don't think that merely *using* PHP means that your site is
> less secure. That's a tad too simplistic for my tastes. And I'm also
> willing to bet that if I did have to use PHP, using something like
> Drupal would be a lot more secure than deploying a home brew CMS.
>
Not exactly. There is some truth in saying that PHP is a less secure
language overall when compared to Python. The reasons are up from
design itself. PHP was designed ground up as a language for the web
which means web development features are built directly into the core
language as opposed to Python where these are provided by add-on
modules. It does not take a lot of effort to connect security issues of
PHP with this fact. This is what makes PHP powerful as well as
vulnerable.
For example, this is a very common way of doing a select using PHP.
$query = "SELECT * FROM products WHERE name=’$productname’";
mysql_query <http://www.php.net/mysql_query>($query);
Only that this kind of SQL is very vulnerable to SQL injection attacks
because
$productname can be replaced with malicious SQL code from outside.
The correct way to do this would be,
$query = sprintf <http://www.php.net/sprintf>("SELECT * FROM products
WHERE name=’%s’",
mysql_real_escape_string <http://www.php.net/mysql_real_escape_string>(
$productname));
mysql_query <http://www.php.net/mysql_query>($query);
However, in Python due to some features like multiline strings and
templating using a dictionary, these kind of issues are more easily
avoided.
example
query="""SELECT * from Products WHERE name=%s AND timestamp>=%s"""
cursor.execute(query % ('burger', '2009-09-10 12:00:00')
It is not easy to use SQL injection against code like above so the
default Python string templating is a bit more secure than the one
provided by PHP. You don't need to go through the pain of
mysql_escape_string to escape the SQL params which is the solution
offered in the PHP world.
This is just one example. Basically it is a fact that the clean, minimal
syntax of Python with no "hackish" features does make it a more
secure language, if not intentional then accidental. Anyway it is good
news for Python developers.
>
> There was a time when I used to maintain my entire website on my local
> machine as a bunch of text files using Muse for Emacs. Make edits as I
> wanted and then 'publish' the site. Not exactly cutting edge tech. and
> not very flexible but I'm guessing that static HTML pages have better
> security records than Django and Drupal. :)
>
>
>
> --
> ~noufal
> http://nibrahim.net.in
> _______________________________________________
> BangPypers mailing list
> BangPypers at python.org
> http://mail.python.org/mailman/listinfo/bangpypers
>
--
--Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/bangpypers/attachments/20091010/7536c377/attachment.htm>
More information about the BangPypers
mailing list