Date: Fri, 04 Jul 2003 10:20:21 +0100 From: matt <matt@proweb.co.uk> Cc: questions@freebsd.org Subject: Re: Which server-side programming should i choose. Message-ID: <3F0546D5.1020106@proweb.co.uk> In-Reply-To: <20030704072303.GA69059@happy-idiot-talk.infracaninophile.co.uk> References: <20030702201929.79497.qmail@web12604.mail.yahoo.com> <07e301c340ec$1159e770$1b41d5cc@nitanjared> <3F03FB8A.9080700@thebigchoice.com> <200307041026.47024.jrhoden@unimelb.edu.au> <20030704072303.GA69059@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote:
>On Fri, Jul 04, 2003 at 10:26:47AM +1000, JacobRhoden wrote:
>
>
>>Even though this is getting waaay off topic...
>>
>> On Thu, 3 Jul 2003 07:46 pm, Matt Heath wrote:
>> > Ever seen something like this :
>> > $r = mysql_execute("select * from table_1 where id=$_GET[id];");
>>
>>Actually people do do the same thing and perl and you know it :P Both perl and
>>php support calling sql with parameters using ? to insert variables. If
>>someone does not know what language to use at all, I would suggest php simply
>>because its a good, quick, easy language to get started in without too much
>>difficulty. (In lots of ways including not needing to understand cgi
>>variables, and what the heck Content-type: text/html\n\n is, or learning how
>>to include perl librarys to do all that stuff for you!)
>>
>>
>
>You're missing the point. $_GET[id] is one of the arguments used when
>calling the PHP and as such is completely under the control of an
>external user.
>
exactly
perl has the "tainted" construct for this and will refuse certain
operations with tainted data.
But my challenge was Kevin Kinsey's assertion :
> [PHP is] likely to be more secure than Perl if used as Apache module than CGI.
and I want to know why ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F0546D5.1020106>