[BangPypers] [ANN][X-Post] SciPy India conference in Dec. 2009
Anand Balachandran Pillai
abpillai at gmail.com
Sat Oct 10 09:01:20 CEST 2009
On Sat, Oct 10, 2009 at 10:46 AM, Noufal Ibrahim <noufal at gmail.com> wrote:
> 0 day Django exploit in the wild -
> Fixed rather quickly but found rather late. One of the reasons is
> probably because of the comparatively smaller user base. If Django had
> the same number of users as Drupal, I expect a lot more to be visible.
> Also, I don't think that merely *using* PHP means that your site is
> less secure. That's a tad too simplistic for my tastes. And I'm also
> willing to bet that if I did have to use PHP, using something like
> Drupal would be a lot more secure than deploying a home brew CMS.
Not exactly. There is some truth in saying that PHP is a less secure
language overall when compared to Python. The reasons are up from
design itself. PHP was designed ground up as a language for the web
which means web development features are built directly into the core
language as opposed to Python where these are provided by add-on
modules. It does not take a lot of effort to connect security issues of
PHP with this fact. This is what makes PHP powerful as well as
For example, this is a very common way of doing a select using PHP.
$query = "SELECT * FROM products WHERE name=’$productname’";
Only that this kind of SQL is very vulnerable to SQL injection attacks
$productname can be replaced with malicious SQL code from outside.
The correct way to do this would be,
$query = sprintf <http://www.php.net/sprintf>("SELECT * FROM products
However, in Python due to some features like multiline strings and
templating using a dictionary, these kind of issues are more easily
query="""SELECT * from Products WHERE name=%s AND timestamp>=%s"""
cursor.execute(query % ('burger', '2009-09-10 12:00:00')
It is not easy to use SQL injection against code like above so the
default Python string templating is a bit more secure than the one
provided by PHP. You don't need to go through the pain of
mysql_escape_string to escape the SQL params which is the solution
offered in the PHP world.
This is just one example. Basically it is a fact that the clean, minimal
syntax of Python with no "hackish" features does make it a more
secure language, if not intentional then accidental. Anyway it is good
news for Python developers.
> There was a time when I used to maintain my entire website on my local
> machine as a bunch of text files using Muse for Emacs. Make edits as I
> wanted and then 'publish' the site. Not exactly cutting edge tech. and
> not very flexible but I'm guessing that static HTML pages have better
> security records than Django and Drupal. :)
> BangPypers mailing list
> BangPypers at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the BangPypers