On Wed, Oct 25, 2006 at 05:54:37PM -0500, Damian Wiest wrote:
> On Wed, Oct 25, 2006 at 03:06:36PM +0200, Joachim Schipper wrote:
> > Just a half-baked thought, but escaping any non-constant expression
> > (i.e., actual variable, not fixed string) passed to the browser or a
> > database would go a long way toward solving most problems.
> >
> > That is,
> >
> > $hello = "<Hello World>";
> > echo "<Hello World> ", $hello;
> >
> > could produce
> > <Hello World> <Hello World>
> >
> > And
> >
> > do_query('select var1, var2 from mydb where id = ' . $my_id);
> >
> > would not be as dangerous as it is now.
> >
> > Of course, this is an ugly hack [1]. But a hack that would make my life
> > quite a bit easier.
> >
> > Joachim
> >
> > [1] The first example is not that bad, treating constants and variables
> > differently is just one sin; the interesting part is figuring out a sane
> > way to do the latter.
> >
>
> Or you could use DBI's bind parameters and not have to worry about the
> issue.
Yes, but that solves only the second problem and doesn't work on sloppy
(non-)programmers.
> My main problem with PHP is that it allows programmers to be extremely
> sloppy and embed application logic into what would otherwise be an HTML
> page. Using code to iterate through a list and display the values
> contained within is fine, but I see a lot of people doing transactional
> processing in PHP pages. This isn't unique to PHP, as JSPs tend to have
> the same problems.
When you have a hammer, ...
Joachim
