Re: [PHP] what's the difference in the following code?

Mon, 20 Oct 2008 14:16:38 -0700 

At 10:12 AM -0400 10/20/08, Daniel Brown wrote:

On Mon, Oct 20, 2008 at 10:02 AM, tedd <[EMAIL PROTECTED]> wrote:


 I hate it when people take things out of context and misquote others. Chris
 did not say that one way was better, or different, than the other. But
 rather he used two sets of code to illustrate a point.


    Welcome back, Grum-pa.  Glad to see you're willing to flame people
whose first language is not English.  ;-P



If he wanted my advice in a different language, then he should have 
asked his question in that language. That way I could have ignored 
him in mine. Besides, I'm not flaming in his language, so that should 
balance out.



In this case, the introduction chapter of Chris' PHP Security clearly 
states several things one can do to simplify the task of security. 
One of which is to understand that the way you code can hide tainted 
variables.



Chris illustrated his "tainted" point by asking the reader to compare 
these two structures:


[1]

$search = isset($_GET['search']) ? $_GET['search'] : '';

[2]

$search = '';
if (isset($_GET['search']))
   {
   $search = $_GET['search'];
   }

He ALSO said that:

-- quote


"The approach is identical, but one line draws in particular nows 
draws much attention:


 $search = $_GET['search'];


Without altering the logic in any way, it is now more obvious whether 
$search is tainted and under what conditions."


-- un-quote


Now, instead of the OP getting the point the OP flies off on a 
tangent asking us "what's the difference in the following code?" and 
of course the answer is "There is no difference." BUT, Chris didn't 
say there was, as was implied by the OP in his post.



Sure I can understand language problems, but this thread was started 
because the OP couldn't understand a simple concept that was stated 
in less than ten (10) sentences. Our collective replies amounted to 
more lines than that -- with the obvious language problems the OP has 
with the written word, who knows what the OP thinks now.



But the point is that Chris did not say there WAS a difference as was 
implied by the OP -- and that was my point.


Cheers,

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
























					Reply via email to