On Wed, Oct 25, 2006 at 05:54:37PM -0500, Damian Wiest wrote:
> On Wed, Oct 25, 2006 at 03:06:36PM +0200, Joachim Schipper wrote:
> > Just a half-baked thought, but escaping any non-constant expression
> > (i.e., actual variable, not fixed string) passed to the browser or a
> > database would go a long way toward solving most problems.
> > 
> > That is,
> > 
> > $hello = "<Hello World>";
> > echo "<Hello World> ", $hello;
> > 
> > could produce
> > <Hello World> &lt;Hello World&gt;
> > 
> > And
> > 
> > do_query('select var1, var2 from mydb where id = ' . $my_id);
> > 
> > would not be as dangerous as it is now.
> > 
> > Of course, this is an ugly hack [1]. But a hack that would make my life
> > quite a bit easier.
> > 
> >             Joachim
> > 
> > [1] The first example is not that bad, treating constants and variables
> > differently is just one sin; the interesting part is figuring out a sane
> > way to do the latter.
> > 
> 
> Or you could use DBI's bind parameters and not have to worry about the 
> issue.

Yes, but that solves only the second problem and doesn't work on sloppy
(non-)programmers.

> My main problem with PHP is that it allows programmers to be extremely 
> sloppy and embed application logic into what would otherwise be an HTML 
> page.  Using code to iterate through a list and display the values 
> contained within is fine, but I see a lot of people doing transactional 
> processing in PHP pages.  This isn't unique to PHP, as JSPs tend to have 
> the same problems.

When you have a hammer, ...

                Joachim

Reply via email to