[JimDabell]

It’s the top hit for “PHP MySQL tutorial”. This is what PHP newbies are learning from.

The same tutorial with Django wouldn’t have the same problem because Django auto-escapes strings you dump into HTML. These vulnerabilities only exist in this tutorial because PHP treats its output as HTML by default not text, so you need to put in extra effort to be secure.

[cess11]

Django is a framework. If you want to compare against it you'd look at Laravel tutorials.

[JimDabell]

It’s how people write code for the web with Python. Substitute Flask if you like.

People who are new to PHP and want to learn how to use MySQL will search for “PHP MySQL tutorial” and they will find insecure garbage.

The fact that you can find good tutorials does not negate the fact that people do find terrible ones.

[cess11]

And that never happens with Python? No one has ever published garbage articles about it?

[JimDabell]

That are the top hit on Google for a common beginner query and contain multiple vulnerabilities caused by a flaw unique to the language?

And we aren’t talking about an article, we’re talking about a tutorial. There’s a very big difference between the two, why are you switching? Tutorials are obviously vastly more important to beginners.

Let me remind you of the context:

> > Mixing server side and front end code is bad news. I think following many PHP-MySql tutorials will result in SQL injection vulnerabilities. Not good.

> i think you'd have to go back at least a decade to find tutorials that bad

This is something that is harming people learning PHP today, not the distant past.

[cess11]

XSS is unique to PHP? Wait a minute while I go check with OWASP.

[JimDabell]

Let me quote an earlier part of the discussion:

> The same tutorial with Django wouldn’t have the same problem because Django auto-escapes strings you dump into HTML. These vulnerabilities only exist in this tutorial because PHP treats its output as HTML by default not text, so you need to put in extra effort to be secure.