[0xDEADFED5]

i have nightmares from PHP, too, so i get where you're coming from. but i think you'd have to go back at least a decade to find tutorials that bad

[JimDabell]

Not an SQL injection, but I opened Google in a private browsing window, searched for “php mysql tutorial”, and it brought me to the W3Schools tutorial, which has multiple other vulnerabilities relating to how PHP just dumps its output into HTML unescaped without a second thought. At a glance, I see obvious XSS and open redirect vulnerabilities.

https://www.w3schools.com/php/php_mysql_select.asp

[cess11]

W3Schools being consistently shit for decades doesn't really reflect badly on PHP specifically.

[JimDabell]

It’s the top hit for “PHP MySQL tutorial”. This is what PHP newbies are learning from.

The same tutorial with Django wouldn’t have the same problem because Django auto-escapes strings you dump into HTML. These vulnerabilities only exist in this tutorial because PHP treats its output as HTML by default not text, so you need to put in extra effort to be secure.

[cess11]

Django is a framework. If you want to compare against it you'd look at Laravel tutorials.

[JimDabell]

It’s how people write code for the web with Python. Substitute Flask if you like.

People who are new to PHP and want to learn how to use MySQL will search for “PHP MySQL tutorial” and they will find insecure garbage.

The fact that you can find good tutorials does not negate the fact that people do find terrible ones.

[cess11]

And that never happens with Python? No one has ever published garbage articles about it?