On Sat, Oct 10, 2009 at 8:35 PM, Noufal Ibrahim <nou...@gmail.com> wrote:
> On Sat, Oct 10, 2009 at 7:59 PM, Carl Karsten <c...@personnelware.com>
> wrote:
> [..]
> > I need to inject...
> >
> > The line should be:
> >
> > cursor.execute(query, ('burger', '2009-09-10 12:00:00'))
>
> Ah. Then it's just a case of the API doing the quoting internally
> which points to a better API than a better language.
>
Nobody said Python is a better language than PHP. Indeed comparing both
is a bit of apples to oranges comparison since both languages are designed
for totally different intentions. Python is a general purpose language,
whereas
PHP was built from the ground up for the web.
My point is there are certain aspects of PHP which makes it easy to write
vulnerable code if the coder is not careful. In Python, there are again
some
aspects (language as well as API) which guards against common pitfalls.
> > and to keep it more like the php example:
> > cursor.execute(query, (productname, buy_datetime))
>
> Yes. That would be closer.
>
> [..]
> > I have done 2 php pages and a bunch of python. My guess is PHP makes
> > it easier to write vulnerable code, but I am really going on on a limb
> > here, so I'll not try to support this notion.
>
> Yes. I think so too. However, something being in PHP alone doesn't
> disqualify it as a robust and secure product.
>
A product being robust is a totally different thing from it being secure.
Robust means it is stable (as in staying up and doing what it is supposed
to do) and works with reasonable or good performance. Security is
a totally different aspect. Being secure doesn't imply robustness or
vice-versa.
>
>
> --
> ~noufal
> http://nibrahim.net.in
> _______________________________________________
> BangPypers mailing list
> BangPypers@python.org
> http://mail.python.org/mailman/listinfo/bangpypers
>
--
--Anand
_______________________________________________
BangPypers mailing list
BangPypers@python.org
http://mail.python.org/mailman/listinfo/bangpypers
