Heh - a friend of mine once planned to give his son the middle name "DELETE * FROM CITIZENS" (including the quotes!). Not to be *too* much of a framework snob, but if SQL is *possible* in a web framework, then that framework is deeply, fundamentally broken. And PHP is - the root problem is that it mixes together code and markup. That means these kinds of vulnerabilities are baked into the design of the language. PHP is fundamentally by-amateurs, for-amateurs. I think the article that best captures the issues is this one: http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ There is a wider world of ways of doing web sites that is not prone to this sort of problem. While the idea of flat HTML sites sounds quaint to some folks, the reality is that generating HTML on the fly on a server is pretty much dead as an approach to doing dynamic web sites. Flat HTML is back :-) Combined with a JSON REST API for dynamic data and javascript that runs on the client to talk to it (using client-side frameworks such as AngularJS), you can do all the things people have traditionally done with dynamic HTML generation on the server, and the result scales far better - since the server is doing less, you can do the same things with far less hardware, take better advantage of server-side and browser-based caching, and scale out further and much more easily. And the result is far easier to secure. I realize that there are people attached to PHP; and that in general, in the technology industry, broken platforms create economies of consultants around them to babysit them (FreeBSD was actually a threat to Unix vendors but Linux got all the attention when it was a tinker-toy; MySQL *still* can't index a unicode string longer than 250 characters while Postgres can rival Oracle; the list goes on). But the bottom line is that the industry is going in the direction of flat files and dynamic content handled in-browser, and given the huge advantages that offers in terms of scalability, I don't know of anything that stands a chance of turning that tide. I'm not saying PHP hosting vendors are going to be out of business tomorrow, but if you're dependent on it, now would be a good time to lift the lid and let in some fresh air. -Tim -- http://timboudreau.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20140827/82e48b4f/attachment.html