Ian Bicking: the old part of his blog

Php ghetto comment 000

There is someplace now to contact about security problems: http://www.python.org/security/

Certainly this all can, and sometimes does, happen in Python. All the mechanisms that cause problems in PHP exist in Python, and I've seen people abuse them in very similar ways. But I see a much stronger emphasis on correcting problems and avoiding the same problem in the future. My initial impression of this bug was that it had something to do with the same problem as SQL injections ("blah '$string'"), but once I saw the actual code it was more complicated than that. It should have raised flags -- being complicated and using a dangerous construct -- but it wasn't blindingly obvious.

Though perhaps what surprised me more was that the code was just really really buggy, and no one noticed. It wouldn't accept any XMLRPC request that contained a string with ' in it. Geez. Anyone with the name O'Something must curse PHP, because PHP really hates that character.

Comment on Re: The PHP Ghetto
by Ian Bicking