[_] PHP accelerators
Richard Davey
rich at corephp.co.uk
Wed Dec 5 14:03:18 GMT 2007
Hi Jan, Wednesday, December 5, 2007, 1:38:07 PM, you wrote: > Mulling this over over lunch, I think the underlying phenomenon with > both sql injection and various flavours of xss is that the coder > expects to emit content; what gets emitted is structure. String > interpolation, the <%= %> constructs just make this very easy to > achieve. I would have to say that SQL injection is something that I *would* expect the language (or libraries within) to deal with. But again it's down to developer habit isn't it? If you eschew stored procedures or bound parameters and insert your strings into queries willy nilly, because you want to get something done quickly, then you get what you ultimately deserve. (I'm not claiming I've never done this! But I certainly don't any more) > Rather than fixing the language, the approach should really be to fix > the framework: make it easy (the default) to escape things properly. We > have a decent fix for this with sql in prepared statements (php's random > backslash-scattering junk is an attempt at the wrong fix, trying to Magic quoting is an old trait of PHP, one now disabled by default and to be dropped entirely in 6. That doesn't mean there aren't stacks of legacy apps out there (especially of the PHP4 era) doing it. But they certainly recognised the errors of their ways. I do find that PHP6 is pushing developers down the "you must do it like this" road a lot more heavily than ever before. Still, PHP is not a framework, and there are some things it should just not enforce at that level. Even removing the <?=?> capability wouldn't solve anything. There are more ways than I care to think of for outputting data from a PHP script. The problem is its flexibility - PHP has no way of determining where the string is being output to, and there are certainly valid cases where escaping should not take place. XSS and related attack vectors are such a dramatically shifting area that no single language or framework could ever claim to fully combat it (and if one does, it's just selling snake oil). Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window"