Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I agree. I think for largely cultural and timing reasons, and also its success, there are a lot more long-lived php codebases for this to play out in compared to most languages.

I also think possibly node is our generation's php, with it being so fast-changing and there not being a community consensus about framework. So every complex node project is, like pre-laravel php, essentially a totally unique ad-hoc framework composed of a mix of libraries. Ruby and python aren't better languages than php or node, and rails and django aren't perfect, but to a large extent those languages avoid this problem just because everyone is using the same solutions.



T_PAAMAYIM_NEKUDOTIM, mysql_real_es ape2, parse_str, etc.


> mysql_real_escape2

Blame MySQL for that name, not PHP.

https://dev.mysql.com/doc/c-api/8.4/en/mysql-real-escape-str...

(And, if you're doing modern PHP, it's just PDO->quote().)


I'm not certain about OP's objection but for me it's less the function name and more the terrible history of how PHP tried to automatically fix SQL injection and instead made everything a thousand times worse. If you're not using bound parameters for user data you're taking a huge risk and making your life multitudes more difficult. PHP's PDO is by far the better option at this point but it suffers from poor enough usability that I've built my own wrapper for it at two different companies.


Writing a wrapper for PDO is standard operating procedure for various good reasons.


> the terrible history of how PHP tried to automatically fix SQL injection and instead made everything a thousand times worse

Are you thinking of stuff like magic quotes? mysql_real_escape is not part of an automatic anything. You manually use it to quote each value.


Why should I blame MySQL? It's the PHP developers that decided to introduce it and not change the name, plus have several functions that don't do the right thing as well.


This hasn't been an issue for like fifteen years or whatever.

In hindsight I think it's a good thing, it's a pea that keeps princesses at a distance from the language.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: