←back to thread

PHP 8.5

(stitcher.io)
201 points brentroose | 1 comments | 20 Nov 25 06:07 UTC | HN request time: 0s | source
Show context
yupyupyups ◴[20 Nov 25 13:44 UTC] No.45992465[source]
Is PHP still unhelpful when it comes to writing secure code?

I remember when escaping SQL input data was "the correct way" to use your mysql database. Parametrization? Nah, just use mysql_escape_string or whatever it was called.

replies(4): >>45992563 #>>45992566 #>>45992581 #>>45992594 #
1. krapp ◴[20 Nov 25 13:56 UTC] No.45992581[source]
Prepared statements have been available in PHP for over 20 years, when it deprecated the old mysql libraries. They were removed entirely in PHP 7.

And let's be real - most handwritten SQL code in existence in most languages just builds queries from concatenated strings, even when more secure options exist. A lot of code doesn't even bother to escape anything. That's not a language problem so much as a developer laziness and assumption that "simplicity always equals correctness and frameworks are always wrong" problem.