On Feb 6, 2005, at 6:51 PM, Edin Kadribasic wrote:
On Sunday, Feb 6, 2005, at 23:07 Europe/Copenhagen, George Schlossnagle wrote:
I disagree. The fact that XSS attacks remain one of the largest issues plaguing large so-called enterprise sites points to data validation being a hard thing to remember to always do, and to do 'right'.
So how do you feel about impact magic_quotes had on preventing SQL injection attacks? In my own personal opinion it had marginal positive impact at best and it didn't prevent people writing queries like "delete from customer where customer_id=".$_GET['id']. It did however had a major negative impact on the portability of the PHP code written.
I think that magic_quotes was the wrong solution for the SQL injection problem. The right solution for that is to use a database layer with auto-escaping built into it (via something like PDOs emulated bindings).
I realize that's not a real answer to your question, but I think that the issues with magic_quotes (which I agree is a travesty) stem from it being the wrong solution to the problem it tried to tackle.
George
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
