PHP Programming (was JOB: LAMP Artisan)

Levi Pearson levipearson at
Mon Mar 3 09:22:57 MST 2014

On Mon, Mar 3, 2014 at 2:18 AM, Dan Egli <ddavidegli at> wrote:

> Not quite sure what you mean here. Any project that is going to have user
> input queried against a database has to allow the user to input that data.
> Even a simple login form has that need. Of course there's a difference
> between simply plugging in the $_REQUEST (or $_GET/$_POST) element in the
> request and doing some basic sanity checking and some basic sanitizing.
> Anyone who does query directly against the input is asking for problems no
> matter the language, and I don't know of any language that would
> specifically prevent you from doing that. Even if there's some kind of
> check that prevents you from using that languages equivalent of the
> $_REQUEST/$_GET/$_POST variables directly, I doubt there's a problem with
> assigning a temp var to the same value and passing the temp var to the DB
> query. And most things I've seen these days use PHP's DB libraries and
> prepared statements. That's not so easy to hack.

It is in fact a compile-time error in many statically-typed web
frameworks to use a string obtained from user input directly in HTML
output or database queries.  You can't get around it with temp vars;
you can only get around it with a function that applies the proper
escaping, at which point there's no problem.

There are also many web frameworks in dynamically-typed languages that
do something similar, but it does require some run-time checks.
Again, assigning temp vars doesn't change the fact that the different
string types (wrappers around strings in a dynamically-typed language)
are incompatible.

There are all sorts of other security concerns that can be managed in
this way if you use a framework that was designed with security in
mind, and these rule out large classes of common security problems *by
construction*; you just can't write applications that are vulnerable
to them, even if you are completely unaware of the security issues
themselves. This is, unfortunately, not the way PHP works.


More information about the PLUG mailing list