[BangPypers] Drupal vs. Django

Noufal Ibrahim noufal at gmail.com
Mon Nov 16 10:44:05 CET 2009


On Mon, Nov 16, 2009 at 2:50 PM, Anand Balachandran Pillai
<abpillai at gmail.com> wrote:
> On Mon, Nov 16, 2009 at 12:42 PM, Ramdas S <ramdaz at gmail.com> wrote:
>
>> On Mon, Nov 16, 2009 at 12:34 PM, Noufal Ibrahim <noufal at gmail.com> wrote:
>>
>> > We had a thread a while ago inspired by the fossee.in site. I came
>> > across this http://birdhouse.org/blog/2009/11/11/drupal-or-django/
>> > which is relevant to the issue and which might interest people who
>> > have to make a decision.
>> >
>>
>
> Nice link, I have been reading it plus comments since you posted it.
> I found this gem somewhere down the page.
>
> "Some attack vectors, like SQL injection (and other input sanitization
> exploits) are pretty much eliminated by Python’s DB API and Django’s ORM and
> Form validation tools. This is not to say you couldn’t create an exploit in
> a Django app, but that you’d have to be trying to on purpose".
>
> I remember I had made a similar point in that thread when it came to
> Python vs PHP on security. This is exactly the point I wanted to make.[..]

Yes but IIRC your argument was a Python vs. PHP one rather than the
applications (Django vs. Drupal).

It's perfectly possible and equally easy to write SQL injection
exploitable code in Python if you're using the raw DBAPI (I've done it
when I wrote my first database interacting app [python and PHP] and
didn't know anything about sanitising inputs). All you have to do is
to + some strings together with unsanitised inputs and run them. This
is the way you do it on Python and PHP if you go down to the API
level.

With higher level libraries like ORMs (and I'm sure there are decent
ones for PHP as well), it will take care of the nitty gritty and
you'll be clean.

So, *on the language front* atleast with respect to *writing bad SQL
queries*, I think both the languages are somewhat equal unless I'm
totally missing a subtle point you're making.

Coming to the application side of things (Drupal vs. Django), if the
former doesn't use an ORM or any other library that automatically
sanitises SQL queries to it, it's a +1 for the latter.

As for the CSRF points he's making, I'm not knowledgeable enough to
comment but what he says looks correct and I think it's a +1 for
Django.

Your point though, about the general ugliness of PHP and it's ad hoc
nature is perfectly valid and my reason for not using it voluntarily
anymore. Python is much cleaner and will encourage better code. *My*
point is that if you only take the question of SQL injection while
using only the raw DB API, both the languages fare similarly.

-- 
~noufal
http://nibrahim.net.in


More information about the BangPypers mailing list