On Wed, Oct 25, 2006 at 03:06:36PM +0200, Joachim Schipper wrote:
[snip]
>
> Just a half-baked thought, but escaping any non-constant expression
> (i.e., actual variable, not fixed string) passed to the browser or a
> database would go a long way toward solving most problems.
>
> That is,
>
> $hello = "<Hello World>";
> echo "<Hello World> ", $hello;
>
> could produce
> <Hello World> <Hello World>
>
> And
>
> do_query('select var1, var2 from mydb where id = ' . $my_id);
>
> would not be as dangerous as it is now.
>
> Of course, this is an ugly hack [1]. But a hack that would make my life
> quite a bit easier.
>
> Joachim
>
> [1] The first example is not that bad, treating constants and variables
> differently is just one sin; the interesting part is figuring out a sane
> way to do the latter.
>
Or you could use DBI's bind parameters and not have to worry about the
issue.
My main problem with PHP is that it allows programmers to be extremely
sloppy and embed application logic into what would otherwise be an HTML
page. Using code to iterate through a list and display the values
contained within is fine, but I see a lot of people doing transactional
processing in PHP pages. This isn't unique to PHP, as JSPs tend to have
the same problems.
-Damian
