NYCPHP Meetup

[Dell Sala]

I wouldn't call this an attack on PHP. It is a critique of a  
philosophy. From the same article:

> Q: Are you saying that sites built with open source tools like PHP  
> are more vulnerable to SQL injection attacks than sites built  
> with .Net?
>
> A: It's a question of mentality. Microsoft's mindset is to fix  
> things in such a way that the user doesn't have so much control and  
> is therefore less vulnerable. The open source tools like PHP have a  
> different philosophy. They assume that users know what they are  
> doing and want to be free of constraints, so these tools let users  
> do what they want but at their own risk. The open source tools  
> assume that developers these days are aware of the threat of SQL  
> injection and will do the right thing.

It's about different approaches to the balance between ease-of-use  
and flexibility.

The holy grail is a solution that provides both. Somewhere down the  
line there has to be code that generates the SQL. The real challenge  
is where that code goes. Does it happen inside a framework of some  
kind that takes care of all the escaping in a tested and reliable  
way, or do you generate the SQL higher up in your scripts adding the  
flexibility needed for complex joins and query optimization.

Ken Wrote:

> Applying security in the database renders you structurally immune  
> from SQL injection.

Can you elaborate on this? I'm always intrigued by your DB-centric  
slant.


-- Dell