[wp-hackers] Making WP more secure the evolutionary way

Daniel Torreblanca regulatethis at gmail.com
Mon Jan 26 22:24:24 GMT 2009


Although your own code may be perfect 100% of the time, not everyone
else's is. Not only that, but if there were a bug in the
implementation of whatever theoretical API we are talking about, it'd
be a bug that is fixed in one place, which is always better than
having to comb through more code than necessary. This is basic common

I also happen to know SQL and how to create properly structured and
escaped queries (I'm sure most of the people on this list are in the
same boat), but in most cases I find it much simpler to work with
something abstract rather than what boils down to tedious and
error-prone string concatenating. In rare cases it is better to do
something directly, and for that reason there should always be a
direct query method but its use should be the exception rather than
the rule.

You also seem to be concerned about performance losses from using
something like this (correct me if I'm wrong, sometimes I have trouble
understanding your points) - I'd be incredibly surprised if there were
any noticeable cost involved in this sort of abstraction that wouldn't
be incurred (and possibly surpassed) by doing this work by hand every
time you need to construct a SQL query. Even if such a performance hit
was found after performing some benchmarking, I think it'd be a matter
of weighing the pros and cons - adding a few milliseconds (if that) to
response time in favor of greater security, more easily maintainable
code and consistency might very well be worth it.


On Mon, Jan 26, 2009 at 4:41 PM, Jacob Santos <wordpress at santosj.name> wrote:
> This is *exactly* what I don't want to see WordPress use. The
> implementations that I've seen haven't been optimized that well. It is the
> same sort of setup that CodeIgniter uses (whom coincidently calls their
> model Active Record, are they wrong with the pattern name? Most likely) and
> I despise it with a passion. The problem is that it will never be as fast
> as:
> $db->query(SQL_HERE);
> Most of the code in CodeIgniter makes use of arrays, checks and iteration
> that inherently adds to the implementation and slows the process down.
> Furthermore, I know SQL and I know how to protect against being raped. Why
> do I need something that holds my hand? In the off-chance that there is
> something I didn't forsee occurring that leads me to being taken advantage
> of against my will? Doubtful, who is to say there wouldn't be a bug in this
> sort of implementation? Most new APIs have bugs and we'll be throwing
> ourselves on an API that would have be seriously tested both for
> functionality and security.
> Jacob Santos
> Otto wrote:
>> I used the Zend Table stuff for a while, and I liked it to a certain
>> extent. It looks like this:
>> $selectstmt = $table->select()->where('whatever = ?',
>> $whatever)->order('something ASC');
>> $row = $table->fetchRow($selectstmt);
>> This would get a row as an object (one predefined by a class for that
>> row type), or as a generic row if you didn't define it as something
>> special. You could also get multiple rows like so:
>> $rows = $table->fetchAll($selectstmt);
>> This gives you a "RowSet", which was just a fancied up array of Rows.
>> It's really quite clever, and the classes allow for specifying the
>> dependent tables as well, which could then be automatically retrieved
>> based on the parent tables (internally it uses joins to do this).
>> Clever.
>> -Otto
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list