On Tue, Mar 12, 2002 at 11:34:14AM +0800, Jason Wong wrote:
> On Tuesday 12 March 2002 11:11, Analysis & Solutions wrote:
> > On Mon, Mar 11, 2002 at 08:39:16PM -0500, webapprentice wrote:
> > > From: Jason Wong <[EMAIL PROTECTED]>
> > >
> > > On Monday 11 March 2002 11:10, Chris Cocuzzo wrote:
> > > > $foo = "Entry for " . $HTTP_POST_VARS["name"];
> > >
> > > $foo = "Entry for for $HTTP_POST_VARS[name]";
> >
> > But that's not good programming.  Associative arrays should have the key
> > quoted in order to avoid confusion with contants.
> Inside of double-quoted strings there is no need to single-quote the array 
> key (in fact it can't be done, gives syntax error). The section of the manual 
> you quoted states this :)

Yes.  Quoting the array key inside a string is not correct.  Never said
it was.  Now that I think about it, though, if you use the associative
array inside a string, there's no way the string key can be confused
with a constant, so the main point of my initial post is mute.  So, 
you're right that the following is kosher:

   $foo = "Entry for for $HTTP_POST_VARS[name]";

> For security reasons. To make sure the variable did come from POSTing a form 
> and not from the URL.

Neither is more or less secure.  The source of the data doesn't matter.  
Regardless of where the info is from, validating user input is the only
way to ensure security.



                PHP scripts that make your job easier
         SQL Solution  |  Layout Solution  |  Form Solution
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to