[Gllug] Introductions to Databases

James Laver gllug at jameslaver.com
Sun Jul 19 10:18:28 UTC 2009 

On 17 Jul 2009, at 21:15, Richard Jones wrote:

>
> Well designed programming languages don't allow you to do SQL
> injection.  The fact that poorly designed languages do (cough PHP
> cough) is nothing to do with SQL at all, and would apply to any DB
> query language.
>

I was going to pick James up on this but I see you have. Now I think  
it's time you explained your statement.

The fault here isn't PHP (which I am no friend of, I assure you), the  
fault is idiot users.

PHP does have really stupid bindings to mysql:

mysql_query("SELECT * FROM table WHERE col = '" . $_GET['val'] . "'", 
$connection);

Doesn't take a genius to work out that one's wrong.

mysql_query("SELECT * FROM table WHERE col = '" .  
mysql_real_escape_string($_GET['val']) . "'",$connection);

That one will at least escape the argument.

Then they came up with the mysqli library which supports bound  
parameters. It also supports the older style.

mysqli_prepare("SELECT * FROM table WHERE col=?");

This library also sucks because it requires you to bind results (which  
can be a bit of a pain if you're dynamically generating.

On the other hand, it has PDO which is a lot more like Perl DBI. But  
then Perl DBI can be abused too:

$dbh->do("SELECT * FROM table WHERE col= '" . $my_unescaped_val . "'");

So levelling criticisms at a language for providing the means to use a  
database is hardly correct. While it may be true that Perl users  
generally avoid the crap way of doing things, it's not like the  
language has a part to play in that, in the same way that PHP is just  
providing the tools.

In fact, I get fed up of this argument. Yes, PHP is a shitty language,  
but it's not to blame for the poor general quality of PHP developers.  
It even tried to help them make their shitty code insecure with  
magic_quotes (and while I vehemently disagree with them and think they  
were a bad idea, they tried).

So level your criticism at the idiots, not the language, because FSM  
knows there are enough shitty perl programmers out there too.

--James
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list