And I respect PHP very much for that focus. But as soon as you go beyond the very basics, I think the learning curve there is steeper. Rails simply has so many answers to so many questions, and it introduces those answers in a pretty progressive way. You don't even have to learn what SQL injection is if you're using the preferred query methods. You SHOULD learn what that is, but you don't have to to get started. If you don't know what SQL injection is and you use the MySQL db query functions with a string-interpolated query in PHP, well, you're going to be in trouble.
Probably he knows the difference:). But he seems to just try to make a point where there is none. He is making a wrong comparison. Ruby on Rails is a framework and should have classes/methods to handle SQL queries, just like any proper framework. Ruby and PHP are languages and shouldn't do that. If you use a framework in PHP, or even a CMS as WordPress or Drupal, you have classes/methods for doing SQL queries.
Honestly I think you're giving him a bit too much credit. "You don't even have to learn what SQL injection is if you're using the preferred query methods." You mean...like...ones that aren't vulnerable to SQL injection attacks David? The ones you just told us we didn't need to know about?
there's an entire page dedicated to SQL injection attacks against Rails... [rails-sqli.org]
I was going to say that the examples on the site use SQL fragments and thus are not the safe methods and that the site is completely missing the point...
but then I noticed that there are some more clever things described too, so instead I'll just say: Interesting.
(Though my overall reaction to the site remains: how often do you really pass user input to a HAVING or GROUP BY clause? They're not engineered for that, and I certainly wouldn't expect them to be either!)
Ruby on Rails is a framework and should have classes/methods to handle SQL queries, just like any proper framework. Ruby and PHP are languages and shouldn't do that.
But PHP does. Literally in the language - like the mysql functions are fucking reserved words. That's how painful PHP is.
The price one pays for pursuing any profession, or calling, is an intimate
knowledge of its ugly side. -- James Baldwin
Conflating language and Framework (Score:4)
Probably he knows the difference :). But he seems to just try to make a point where there is none. He is making a wrong comparison. Ruby on Rails is a framework and should have classes/methods to handle SQL queries, just like any proper framework. Ruby and PHP are languages and shouldn't do that. If you use a framework in PHP, or even a CMS as WordPress or Drupal, you have classes/methods for doing SQL queries.
Re: (Score:0)
Honestly I think you're giving him a bit too much credit. "You don't even have to learn what SQL injection is if you're using the preferred query methods." You mean...like...ones that aren't vulnerable to SQL injection attacks David? The ones you just told us we didn't need to know about?
Incidentally, when DHH is finished huffing nitrous oxide out of whipped cream cans, he might want to do a bit of Google searching...there's an entire page dedicated to SQL injection attacks against Rails... [rails-sqli.org]
Re: (Score:0)
there's an entire page dedicated to SQL injection attacks against Rails... [rails-sqli.org]
I was going to say that the examples on the site use SQL fragments and thus are not the safe methods and that the site is completely missing the point...
but then I noticed that there are some more clever things described too, so instead I'll just say: Interesting.
(Though my overall reaction to the site remains: how often do you really pass user input to a HAVING or GROUP BY clause? They're not engineered for that, and I certainly wouldn't expect them to be either!)
Re: (Score:0)
The :select option allows complete control over the SELECT clause of the query.
Well, no shit. It's stupid to list it as an injection vector though.
Re: (Score:3)
Due to Ruby's extensive support for metaprogramming, Rails ends up being a cross between a language and a framework.
Re: (Score:0)
Ruby on Rails is a framework and should have classes/methods to handle SQL queries, just like any proper framework. Ruby and PHP are languages and shouldn't do that.
But PHP does. Literally in the language - like the mysql functions are fucking reserved words. That's how painful PHP is.