(stitcher.io)

201 points brentroose | 1 comments | 20 Nov 25 06:07 UTC | HN request time: 0s | source

Show context

yupyupyups ◴[20 Nov 25 13:44 UTC] No.45992465[source]▶

Is PHP still unhelpful when it comes to writing secure code?

I remember when escaping SQL input data was "the correct way" to use your mysql database. Parametrization? Nah, just use mysql_escape_string or whatever it was called.

replies(4): >>45992563 #>>45992566 #>>45992581 #>>45992594 #

1. Octoth0rpe ◴[20 Nov 25 13:54 UTC] No.45992563[source]▶

>>45992465 #

php has kept around a lot of functionality that can be misused, but PDO has had parameterization since forever and is the go to method if you want to connect to a database. Beyond that though, most PHP projects at this point are likely using a query builder/orm like eloquent.

So I guess it depends on what you mean by unhelpful. PHP as a language makes it pretty easy to do bad stuff. PHP as a community makes it easy to Do The Right Thing.

↑

PHP 8.5