Hacker News new | past | comments | ask | show | jobs | submit login

Generally speaking, tutorials in those languages recommend using the paramatized versions of the queries rather than string concatenation and manual escaping. The official docs from these more well-designed languages would have copious warnings against attempting to escape user input yourself, rather than having numerous functions baked into the language to help you do just that (e.g. `mysql_escape_string`, `mysql_real_escape_string`).



The official docs will tell you how to properly handle queries, including prepares: http://php.net/manual/en/pdo.prepared-statements.php

Additionally, the mysql_ extension is deprecated since PHP 5.5: http://php.net/manual/en/migration55.deprecated.php

The official docs on the old mysql_ extension has large warnings advising people not to use it: http://php.net/manual/en/function.mysql-connect.php

Reading a 10 year old tutorial on W3schools isn't the best place to learn current PHP, and it's not the fault of the language. PHP has moved on, if only the haters would too.


So your argument is that the dangerous extension is deprecated as of a year and a half ago? Given that PHP has been around for nearly 20 years, it seems like your evidence supports my argument more than yours.

> PHP has moved on, if only the haters would too.

Unfortunately it's not that easy. A lot of those tutorials are still being read by newcomers, and a lot of the web is filled with vulnerabilities as a direct result of official documentation recommending insecure ways of interacting with the database.

PHP may be "in recovery," but that doesn't necessarily mean the bad taste will magically leave everyones' collective mouths. The damage has been done.


The mysql extension is not dangerous in any way, don't spread FUD. The reason for not deprecating it sooner is that very large projects depend on it. These projects may have been ten years in the makings and aren't in any way unsafe because of the mysql extension. Software like WordPress and Drupal still use and support the mysql adapter and run on a huge percentage of the web today.

I agree a lot of people read insecure tutorials, but it allows even beginners to write fairly advanced web sites. If the choice is between easy and available and difficult and hard to use, I'd rather have the first option available. On the web, ideas, timing and execution is important, not how amazing your code looks on the backend. A lot of great software may not have been created had it not been for how easy PHP is to get started with. As a community we are trying to educate people to code properly. It's an ongoing process.


"People will forget what you said, people will forget what you did, but people will never forget how you made them feel."

-- Maya Angelou

If PHP had moved on, it wouldn't want to be PHP anymore. Those haters have moved on: they did so when they decided to not program in PHP anymore.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: