PHP - security etc

Michael Stillwell mjs at
Wed Mar 7 14:30:41 GMT 2007

On 7 Mar 2007, at 14:02, dakkar wrote:

>> Is PHP more or less open to nastys such as SQL injection?
> For a lot of time, people built their SQL queries without  
> placeholders.
> And did not escape user-supplied values before printing them out. So,
> SQL Injection and XSS. Some PHP libraries *have* support for
> placeholders, and most PHP templating systems *have* escaping  
> filters. A
> lot of people just don't use them...

I would say the security problems with PHP are partly to do with PHP  
being crap, and partly to do with the programmers being crap--a bit  
like the situation with Perl, though at least Perl's core libraries  
are generally good.

With PHP, the core libraries are sometimes awful.  For example, you  
might think that the following is safe:

   $sth = odbc_prepare($dbh, "INSERT INTO people(name) VALUES(?)");
   $res = odbc_execute($sth, array($name));

But no!  For some monstrous reason, any *value* that starts and ends  
with a single quote "will be taken as the name of a file to read and  
send to the database server as the data for the appropriate  
placeholder."  So if $name is "'/etc/password'" the *contents* of / 
etc/password get inserted into your database.  (See 

(As a side note, does anyone else find it a bit odd that MySQL  
prepared statements don't/can't use the query cache?  Is there any  
way around this?  Is this a problem with other DBs?)


+44 78 2118 9049

More information about the mailing list