On Wed, Oct 25, 2006 at 05:54:37PM -0500, Damian Wiest wrote: > On Wed, Oct 25, 2006 at 03:06:36PM +0200, Joachim Schipper wrote: > > Just a half-baked thought, but escaping any non-constant expression > > (i.e., actual variable, not fixed string) passed to the browser or a > > database would go a long way toward solving most problems. > > > > That is, > > > > $hello = "<Hello World>"; > > echo "<Hello World> ", $hello; > > > > could produce > > <Hello World> <Hello World> > > > > And > > > > do_query('select var1, var2 from mydb where id = ' . $my_id); > > > > would not be as dangerous as it is now. > > > > Of course, this is an ugly hack [1]. But a hack that would make my life > > quite a bit easier. > > > > Joachim > > > > [1] The first example is not that bad, treating constants and variables > > differently is just one sin; the interesting part is figuring out a sane > > way to do the latter. > > > > Or you could use DBI's bind parameters and not have to worry about the > issue.
Yes, but that solves only the second problem and doesn't work on sloppy (non-)programmers. > My main problem with PHP is that it allows programmers to be extremely > sloppy and embed application logic into what would otherwise be an HTML > page. Using code to iterate through a list and display the values > contained within is fine, but I see a lot of people doing transactional > processing in PHP pages. This isn't unique to PHP, as JSPs tend to have > the same problems. When you have a hammer, ... Joachim