At 2:29 PM -0400 5/19/11, Alex Nikitin wrote:
Also don't declare a bunch of needless variables for their one-time use,
don't compare unsanitized strings with a binary unsafe operator, server
variables contain link to current script, here are examples of what i mean:

I object.

First of all 'needless' is in the eye of the beholder. I've seen ton's of 'needless' comments about how programmers waste precious space by declaring needless variables because they can do things more cryptic. I've also heard in the past how programmers should be cryptic and even shorten their variable names, not use indenting, and do all sorts of other nonsense to save space and make their code run quicker.

However, they forget a couple of important considerations.

1. Code running tomorrow will run-faster and cost-less to store than today. That's a fact and while we can argue, the argument becomes less important as time passes. If I don't win this argument today, I will win it tomorrow.

2. I also claim that if I can make my code more readable and easier to maintain by adding a 'needless" variable now and then, then it's well worth the cost. And as I said before, that cost is reducing every day, while maintaining readable code is becoming more important. So again, I'll eventually win this argument.

So, whenever you feel in the mood, create another 'needless variable' because they need love too!

-$self = basename($_SERVER['SCRIPT_NAME']);
+$self = $_SERVER['PHP_SELF'];

They return different things. I want the name of the script.

-$submit = isset($_POST['submit']) ? $_POST['submit'] : null;
-if($submit == 'Submit')


if($_POST) what?

I'm cleaning the the POST variable. If the user has not clicked "Submit", then I don't want to evaluate the POST. Sure, there are ways to forge and pass a POST variable, but this is one step in cleaning a superglobal.


-$pw = 'pw'; // define your password here
-$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null;
-$password = isset($_POST['password']) ? $_POST['password'] : null;
-if (($user_id == $id) AND ($password== $pw))

+$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the
password: php -r "echo sha1(\"pw\");"
+if (@strcmp($id, $_POST['user_id']) == 0 && strcmp($pw,
sha1($_POST['password'])) == 0)


Here's the problem -- where's the novice going to get the hash for the password?

I don't want to force the novice into another step in this demo.

Besides, the only way that an evil doer can see the code in text is *if* there is a problem with the server -- isn't that right? If that's the case, then there's more problems here than what the user could have planned for.

However, if there is another way, please explain.




PHP General Mailing List (
To unsubscribe, visit:

Reply via email to