PHP Programming (was JOB: LAMP Artisan)

Levi Pearson levipearson at gmail.com
Mon Mar 3 09:22:57 MST 2014


On Mon, Mar 3, 2014 at 2:18 AM, Dan Egli <ddavidegli at gmail.com> wrote:

> Not quite sure what you mean here. Any project that is going to have user
> input queried against a database has to allow the user to input that data.
> Even a simple login form has that need. Of course there's a difference
> between simply plugging in the $_REQUEST (or $_GET/$_POST) element in the
> request and doing some basic sanity checking and some basic sanitizing.
> Anyone who does query directly against the input is asking for problems no
> matter the language, and I don't know of any language that would
> specifically prevent you from doing that. Even if there's some kind of
> check that prevents you from using that languages equivalent of the
> $_REQUEST/$_GET/$_POST variables directly, I doubt there's a problem with
> assigning a temp var to the same value and passing the temp var to the DB
> query. And most things I've seen these days use PHP's DB libraries and
> prepared statements. That's not so easy to hack.

It is in fact a compile-time error in many statically-typed web
frameworks to use a string obtained from user input directly in HTML
output or database queries.  You can't get around it with temp vars;
you can only get around it with a function that applies the proper
escaping, at which point there's no problem.

There are also many web frameworks in dynamically-typed languages that
do something similar, but it does require some run-time checks.
Again, assigning temp vars doesn't change the fact that the different
string types (wrappers around strings in a dynamically-typed language)
are incompatible.

There are all sorts of other security concerns that can be managed in
this way if you use a framework that was designed with security in
mind, and these rule out large classes of common security problems *by
construction*; you just can't write applications that are vulnerable
to them, even if you are completely unaware of the security issues
themselves. This is, unfortunately, not the way PHP works.

        --Levi


More information about the PLUG mailing list