He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.
He also has (by his own admission) written his own in house mysql DAO code instead of using a public, well vetted one. He say it doesn't use bind values. He doesn't understand why this is bad.:
(This is edited to leave irrelevant pieces out, please feel free to verify with anyone else logging #mtgox.)
[17:57:31] dehuman: we had been working on security, I can guarantee there is no SQLi right now
[17:57:45] MagicalTux: how can you say so with confidence?
[17:57:51] are you using parameterized queries?
[17:58:01] everywhere
[17:58:07] go1dfish: because I know each and every line of the code, and we mostly use either DAO
[17:59:21] just make good code and things are fine
[17:59:49] @MagicalTu : just make good code and things are fine
[17:59:58] thats kinda a slap in the face dont you think?
[18:00:08] dehuman: healthy code is important for a healthy security & business
[18:00:46] we've been busy for 2 months rewriting Mt.Gox
[18:00:49] you exposed 60,000 client's information
[18:01:02] i wouldn't talk about healthy code, healthy security, healthy business
[18:01:06] not yet
[18:01:08] dehuman: new code is healthy
[18:01:10] quite a bit premature for that
[18:01:30] MagicalTux: looks like DAO doesn't protect against SQLi by default
[18:01:36] your using bound parameters everywhere?
[18:02:23] go1dfish: DAO makes SQLi impossible, since queries are not built by the dev
[18:02:36] go1dfish: now it just depends how you do that
[18:03:18] good show, you shouldn't be writing sql by hand for mt gox
[18:03:42] go1dfish: \DB::DAO('Table')->insert(array('Field' => $value));
[18:04:36] MagicalTux: cool, yeah that should be pretty resiliant against injection assuming the underling DAO implementation is sane
[18:05:02] go1dfish: the DAO implementation was written by us, and makes sure everything is escaped correctly, including table & field names
[18:05:15] you wrote your own DAO?
[18:05:20] why the hell would you want to do that?
[18:05:25] so does this mean previously mtgox didn't use any type of DAO pattern?
[18:05:27] I mean, im no EXPERT...
[18:05:34] Ox41: I'm hoping thats a misunderstanding
[18:05:39] 'dont reinvent the wheel'
[18:05:41] go1dfish: I doubt it is
[18:05:47] Ox41: it's part of our framework
Just sayin'.
They are two separate but related concepts. I subscribe to the former and deem the latter unnecessary in cases such as these where the company in question has a track record like mtgox.