So I’ve been looking at and using Python recently. I thought I’d share some of my thoughts for those who haven’t had a chance to play with the language yet. I’ll try to avoid a preachy OMG-I’ve-just-discovered-the-best-thing-ever post, or to simply write another Python tutorial. I’ll look at the good and bad points of the language.I first looked at Python a month or two ago. The guy and girls over at programming.reddit.com push it as the language to end all languages, so I decided to grab a copy of the (free!) Dive Into Python book. I started putting together a smallish personal project, but with no external pressure it petered out. When a discussion came up at work (a PHP shop) on how to quickly write a reliable server daemon I pushed the idea of Python. It took a little convincing, but the results speak for themselves.
Archive for April, 2008
SQL injection is a well trodden topic so I won’t go into too much detail.
For those who don’t know, the problem occurs when you fail to properly escape variables being placed into your strings. For example the SQL statement
"SELECT * FROM users WHERE name = '$name'" will fail if $name is set to
' or '1' = '1. The string will be expanded to produce
SELECT * FROM users WHERE name = '' or '1' = '1'. This is obviously not what you wanted, and could lead to very bad results when coupled with DELETE or UPDATE queries.
When protecting your server environment you’ll want to ensure that two things happen. Firstly, you’ll want to keep your scripts from prying eyes; you want to make sure that you don’t accept input that will break your code. Secondly, and most importantly, you want to stop anyone from executing their own code on your servers.
Today I’m going to start a three part series looking at security issues affecting web developers. The specifics apply to PHP developers, but the general concepts carry across all technologies.