Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ameixaseca 2 days ago

Keep in mind this is PHP.

There are tons of languages and frameworks made by developers who know what they are doing that do not treat everything blindly like strings.

For SQL in particular, you should never build queries directly from user input - any modern database supports bind variables or parameters, which completely eliminate any need for sanitizing input.

I agree with you regarding sanitization, and I'd add further that having to sanitize input for security purposes is a big sign of code smell and an overall insecure code by design.

daneel_w 2 days ago | parent | next [-]

>"Keep in mind this is PHP."

Has nothing to do with PHP. SQL injection mishaps is a developer problem, not a language problem. It happens everywhere.

ameixaseca 16 hours ago | parent [-]

I feel like answering this comment could start a possible argument, which I have no interest in doing.

I do, however, want to point that anyone interested in comparing language design choices can conclude by themselves this is likely a strong factor.

You can find references like the classic "PHP: a fractal of bad design"[1] which not only talks about the language itself but SQL injection, error handling and tons of other issues. It summarizes most of the important points.

I can also add a few issues like[2][3], which unfortunately are not isolated incidents: these are a reflection of core design decisions and how the language approaches software design as a whole.

I stand by my point, which I'll define more precisely as:

"A badly-designed language either makes it hard for developers to do good choices, or makes it easy for developers to do bad choices."

PHP is not alone, but it is a prime example of this.

You can disagree with this assessment - and that's OK.

[1] https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

[2] https://stackoverflow.com/questions/36867718/php-rename-fail...

[3] https://stackoverflow.com/questions/11360511/php-rename-how-...

9dev 2 days ago | parent | prev [-]

And tons of such frameworks have been written in PHP; prepared statements with an adapter-agnostic database connection layer are first-class citizens in PHP.