←back to thread

PHP 8.5

(stitcher.io)
201 points brentroose | 5 comments | 20 Nov 25 06:07 UTC | HN request time: 0.627s | source
1. yupyupyups ◴[20 Nov 25 13:44 UTC] No.45992465[source]
Is PHP still unhelpful when it comes to writing secure code?

I remember when escaping SQL input data was "the correct way" to use your mysql database. Parametrization? Nah, just use mysql_escape_string or whatever it was called.

replies(4): >>45992563 #>>45992566 #>>45992581 #>>45992594 #
2. Octoth0rpe ◴[20 Nov 25 13:54 UTC] No.45992563[source]
php has kept around a lot of functionality that can be misused, but PDO has had parameterization since forever and is the go to method if you want to connect to a database. Beyond that though, most PHP projects at this point are likely using a query builder/orm like eloquent.

So I guess it depends on what you mean by unhelpful. PHP as a language makes it pretty easy to do bad stuff. PHP as a community makes it easy to Do The Right Thing.

3. g105b ◴[20 Nov 25 13:54 UTC] No.45992566[source]
SQL named parameters was a feature introduced into PHP on 24th Nov 2005, with the release of PHP 5.1.0.
4. krapp ◴[20 Nov 25 13:56 UTC] No.45992581[source]
Prepared statements have been available in PHP for over 20 years, when it deprecated the old mysql libraries. They were removed entirely in PHP 7.

And let's be real - most handwritten SQL code in existence in most languages just builds queries from concatenated strings, even when more secure options exist. A lot of code doesn't even bother to escape anything. That's not a language problem so much as a developer laziness and assumption that "simplicity always equals correctness and frameworks are always wrong" problem.

5. amiga-workbench ◴[20 Nov 25 13:57 UTC] No.45992594[source]
You use PDO and prepared statements. Although realistically, you are going to be using a framework and some kind of Active Record pattern.