On Mon, Nov 16, 2009 at 2:50 PM, Anand Balachandran Pillai <abpil...@gmail.com> wrote: > On Mon, Nov 16, 2009 at 12:42 PM, Ramdas S <ram...@gmail.com> wrote: > >> On Mon, Nov 16, 2009 at 12:34 PM, Noufal Ibrahim <nou...@gmail.com> wrote: >> >> > We had a thread a while ago inspired by the fossee.in site. I came >> > across this http://birdhouse.org/blog/2009/11/11/drupal-or-django/ >> > which is relevant to the issue and which might interest people who >> > have to make a decision. >> > >> > > Nice link, I have been reading it plus comments since you posted it. > I found this gem somewhere down the page. > > "Some attack vectors, like SQL injection (and other input sanitization > exploits) are pretty much eliminated by Python’s DB API and Django’s ORM and > Form validation tools. This is not to say you couldn’t create an exploit in > a Django app, but that you’d have to be trying to on purpose". > > I remember I had made a similar point in that thread when it came to > Python vs PHP on security. This is exactly the point I wanted to make.[..]
Yes but IIRC your argument was a Python vs. PHP one rather than the applications (Django vs. Drupal). It's perfectly possible and equally easy to write SQL injection exploitable code in Python if you're using the raw DBAPI (I've done it when I wrote my first database interacting app [python and PHP] and didn't know anything about sanitising inputs). All you have to do is to + some strings together with unsanitised inputs and run them. This is the way you do it on Python and PHP if you go down to the API level. With higher level libraries like ORMs (and I'm sure there are decent ones for PHP as well), it will take care of the nitty gritty and you'll be clean. So, *on the language front* atleast with respect to *writing bad SQL queries*, I think both the languages are somewhat equal unless I'm totally missing a subtle point you're making. Coming to the application side of things (Drupal vs. Django), if the former doesn't use an ORM or any other library that automatically sanitises SQL queries to it, it's a +1 for the latter. As for the CSRF points he's making, I'm not knowledgeable enough to comment but what he says looks correct and I think it's a +1 for Django. Your point though, about the general ugliness of PHP and it's ad hoc nature is perfectly valid and my reason for not using it voluntarily anymore. Python is much cleaner and will encourage better code. *My* point is that if you only take the question of SQL injection while using only the raw DB API, both the languages fare similarly. -- ~noufal http://nibrahim.net.in _______________________________________________ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers