Hacker News new | past | comments | ask | show | jobs | submit login

That was the thing I was trying to convey: what was offered for me was a safe API. The things all the PHP tutorials of 2001 taught was "glue strings together and it will do what you want".

That was the knowledge offered for us 13 years olds wanting to write a discussion board for our game groups. I think it is a lovely example of "the simple thing should be the safe thing, and if you need more there should be ample warning". That was not the case of PHP 4.0.

Anecdote: the Swedish PHP book (I recall there being only one) that most of us got taught the string building approach without any escaping. The oldest things I can find Googling now are from 2007 and are almost all safe, either through PDO or a safe mysqli interface.




But this is not a language issue but some educational problem, it depends on luck if you land on some bad book or tutorial. If the language offers performance it must give me access to unsafe stuff like run raw SQL.


Of course. I am trying to find it now, but I recently used a sqlite library where, barring bugs in escaping, there were no way to execute SQL queries in the "simple API" with strings that were not compile time constants. A dynamically generated string would be refused with a clear error message pointing to the correct part of the manual.

The raw queries were hidden in a sqlite3/DANGEROUS library. Despite doing things like stepping queries, bypassing the statement cache or mucking around and changing parameterized queries I didn't have to touch the DANGEROUS API.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: