Re: [PHP] what's the difference in the following code?
On Oct 23, 2008, at 2:10 PM, Jochem Maas wrote: The order is reversed, so if $host has a non-zero length, it is not escaped. first thing that I noticed, second wondering why no charset was specified, thirdly was wondering why it's not plain: $host = htmlentities($host); but nonetheless your point stands, :-) Yeah, fair enough. To my credit, I also noticed the problem without spending more than a second or two on that line, but I also recognized how it could be missed. To me, it's similar to missing when someone calls a functions and gets the order of arguments wrong. You can tell what they meant, so the error doesn't stand out as boldly. Perhaps subconsciously you anticipate that they're right, because in most of the code, they are. The challenge of being perfect is why I've developed a number of tools to help me out. I'm going to release one of the best of these as open source in a few months. I might mention that on this list, since it seems appropriate. Hopefully no one will mind the advertising too much. :-) now about that charset ... your blog post uses UTF-7 to demonstrate the potential for problems ... but htmlentities() doesn't support that charset, or at least not according to the docs, in fact the list of supported charsets is quite limited, out of curiosity what would your recommendation be if one is faced with a having 'htmlentize' a string encoded in UTF-7 or some other charset not supported by htmlentities()? That's a good question. I would probably convert it to something like UTF-8, escape it, then convert it back. I've never faced this situation, and the scenario I was recreating in my post was when someone attacked Google using UTF-7. Google didn't actually want to support that character encoding. If you specify ISO-8859-1 in your Content-Type header, it's actually fine to omit the character encoding in htmlentities(), because it uses that by default. (Also, not all mismatches are exploitable.) However, it always catches my eye, because it demonstrates a lax treatment of character encoding in general. I like to see it explicitly declared everywhere. a second question: strip_tags() doesn't have a charset parameter, how does it manage to cope without knowing the input string encoding? or does it not and is it actually vulnerable to maliciously encoded input? My guess would be that it doesn't cope. :-) I never use strip_tags(), so someone else might be able to offer a much better answer. Hope that helps, and thanks for the discussion. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
The difference between the examples are still nothing, it do the same. But I never use the short version of if, because when I look after some month in some projects I have a better overview when there is a long if , its much easier to extend. As explained a couple of times already - there is not supposed to be a difference. It's about security and making code maintainance easier. [quote to Chris's former post] (..) imagine you're manually reviewing a colleague's code, and you're looking through a few thousand lines to try to help identify security problems. (..) [end quote] It's the old What's good code and what's bad code? discussion. In this case ternary operations are bad code. sorry for my bad english Die Code tun nicht Unterschiede in Execution. Es ist Sicherheits Frage. sorry for my bad German //A yeti -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
I believe I was trying to emphasize how simple, obvious code can be a
boon to security. I'm sure I could have picked a better example, but
let me show you a line of code I noticed in a security audit just
yesterday (only the variable name has been changed to be generic):
$host = strlen($host) 0 ? $host : htmlentities($host);
We have developed tools to help us find things like this, but imagine
you're manually reviewing a colleague's code, and you're looking
through a few thousand lines to try to help identify security problems.
In this particular example, my first thought was to suggest specifying
the character encoding when using htmlentities(), and making sure this
matches the Content-Type header, to avoid things like this:
http://shiflett.org/blog/2005/dec/google-xss-example
You might also be distracted by the comparison of strlen() to 0, since
it seems like you could simply rely on a boolean evaluation of
strlen() instead.
Can you spot the bigger problem?
The order is reversed, so if $host has a non-zero length, it is not
escaped.
When spending mere seconds per line, on average, reviewing a lot of
code, this is exactly the sort of thing that's not that hard to miss.
The real question is whether it would be slightly harder to miss if
expanded:
if (strlen($host) 0) {
$host = $host;
} else {
$host = htmlentities($host);
}
I think it's much less likely to be overlooked when written like this,
and this is the sort of decision that many developers take for
granted. If you're too proud to admit that the ternary is less
obvious, or too proud to admit that you could ever make a mistake like
this, maybe you can at least convince yourself that not everyone is as
clever as you, and code that is easier to review is ultimately going
to be better code.
Hope that helps,
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Thu, 2008-10-23 at 11:00 -0400, Chris Shiflett wrote:
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
I believe I was trying to emphasize how simple, obvious code can be a
boon to security. I'm sure I could have picked a better example, but
let me show you a line of code I noticed in a security audit just
yesterday (only the variable name has been changed to be generic):
$host = strlen($host) 0 ? $host : htmlentities($host);
We have developed tools to help us find things like this, but imagine
you're manually reviewing a colleague's code, and you're looking
through a few thousand lines to try to help identify security problems.
In this particular example, my first thought was to suggest specifying
the character encoding when using htmlentities(), and making sure this
matches the Content-Type header, to avoid things like this:
http://shiflett.org/blog/2005/dec/google-xss-example
You might also be distracted by the comparison of strlen() to 0, since
it seems like you could simply rely on a boolean evaluation of
strlen() instead.
Can you spot the bigger problem?
The order is reversed, so if $host has a non-zero length, it is not
escaped.
That was the first thing I noticed. What I still don't understand is why
bother with the strlen? An empty string marked up with htmlentities() is
still an empty string. Now the code has two functions invoked when the
string is non-empty rather than one... htmlentities().
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
At 11:00 AM -0400 10/23/08, Chris Shiflett wrote:
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said
this is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
I believe I was trying to emphasize how simple, obvious code can be
a boon to security.
That's the way I read what you wrote and your example was fine with me.
The problem here is that the OP simply misunderstood what you were
trying to convey. Because of a language problem, he did not realize
that you were simply showing how a tainted variable could stand-out
in one set of code while being obscured in another. Instead, he
thought you were saying that one method was secure and the other
wasn't and wanted to have someone explain the difference.
I did my best to convey what I thought you were saying, but all
clarifications lead to more confusion.
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
Chris Shiflett schreef:
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
I believe I was trying to emphasize how simple, obvious code can be a
boon to security. I'm sure I could have picked a better example, but let
me show you a line of code I noticed in a security audit just yesterday
(only the variable name has been changed to be generic):
$host = strlen($host) 0 ? $host : htmlentities($host);
We have developed tools to help us find things like this, but imagine
you're manually reviewing a colleague's code, and you're looking through
a few thousand lines to try to help identify security problems.
In this particular example, my first thought was to suggest specifying
the character encoding when using htmlentities(), and making sure this
matches the Content-Type header, to avoid things like this:
http://shiflett.org/blog/2005/dec/google-xss-example
You might also be distracted by the comparison of strlen() to 0, since
it seems like you could simply rely on a boolean evaluation of strlen()
instead.
Can you spot the bigger problem?
The order is reversed, so if $host has a non-zero length, it is not
escaped.
first thing that I noticed, second wondering why no charset was specified,
thirdly was wondering why it's not plain:
$host = htmlentities($host);
but nonetheless your point stands, :-)
now about that charset ... your blog post uses UTF-7 to demonstrate the
potential for problems ... but htmlentities() doesn't support that charset,
or at least not according to the docs, in fact the list of supported charsets
is quite limited, out of curiosity what would your recommendation be
if one is faced with a having 'htmlentize' a string encoded in UTF-7 or
some other charset not supported by htmlentities() ?
a second question: strip_tags() doesn't have a charset parameter, how does
it manage to cope without knowing the input string encoding? or does it
not and is it actually vulnerable to maliciously encoded input?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this is
not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
The difference between the examples are still nothing, it do the same.
But I never use the short version of if, because when I look after some
month in some projects I have a better overview when there is a long if ,
its much easier to extend.
sorry for my bad english
greetz
Thomas
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
OP = original poster (in this case I guess)
http://acronyms.thefreedictionary.com/OP
So it's all about making code readable and probably easier to maintain
(even people unfamiliar with the script).
Doesn't that render the ternary operator IF-statement unnecessary?
Have I been totally wrong using it in countless scripts of mine
(always thought it's a neat way to do if )?
Somebody please tell me that I do not have to rewrite my code base
now, since I care about security.
Btw. PHP's ternary inconsistency here ..
http://en.wikipedia.org/wiki/%3F:#Inconsistency_of_implementations
And how about this ..
switch(isset($_GET['search'])) {
case true:
$search = $_GET['search'];
break 1;
default:
$search = '';
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
tedd schreef: At 6:37 AM -0700 10/20/08, Lamp Lists wrote: - Original Message From: tedd [EMAIL PROTECTED] To: Lamp Lists [EMAIL PROTECTED]; php-general@lists.php.net Sent: Monday, October 20, 2008 8:25:50 AM Subject: Re: [PHP] what's the difference in the following code? At 10:58 AM -0700 10/17/08, Lamp Lists wrote: I'm reading Essential PHP Security by Chris Shiflett. on the very beginning, page 5 6, if I got it correct, he said this is not good: NO, you did not get it correct. how it's so obvious? I can't see it either? -ll Re-read those paragraphs. He was not telling you that one way was better than the other. He WAS saying that one way showed the tainted variable more obvious than the other -- that's all. I hate it when people take things out of context and misquote others. Chris did not say that one way was better, or different, than the other. But rather he used two sets of code to illustrate a point. seems to me the point being illustrates is not at all objective in it's premise. I find the the ternary syntax easier to read/grok than the 3 liner. in both cases you need to understand the 'if' context to see when the variable is tainted. all that can be said is that one way is more obvious that the other to *Chris*, which doesn't do anybody but Chris much good ... obviously it's a rather silly point ... the useful parts of Chris' work revolve around where he explains *how* to validate/cleanse the tainted value ... extracting the goodness is a matter of evaluating and possibly disregarding statements/information which are secondary and/or irrelevant. Again, re-read those paragraphs. Cheers, tedd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
At 2:44 AM -0700 10/21/08, Yeti wrote: Somebody please tell me that I do not have to rewrite my code base now, since I care about security. You do not have to rewrite your code because you use ternary operators! Nobody said that. Again, Chris was not saying that it was the use of the operator that was a security issue, but rather its use could obscure the fact that the operator, as in the case he provided, could produce a tainted variable. Perhaps I've confused what Chris tried to say -- so, I suggest that everyone who is interested in arguing this point further buy Chris' book and read it for themselves. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
At 10:58 AM -0700 10/17/08, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the
top one :-) )?
thanks.
-ll
The problem here is you have to read and understand what the author
is trying to say.
Chris is NOT saying that there is a difference between these two
forms of code. He is saying that one hides the fact that the variable
($search) is tainted while the other makes it more obvious.
The whole point of the first few pages is to show you how a variable
can be tainted and how you can minimize that by following some very
simple rules, one of which was simplicity, which you had problems
following.
With just a little reading, you could have answered your own question.
Cheers,
tedd
PS: I'm back
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
- Original Message
From: tedd [EMAIL PROTECTED]
To: Lamp Lists [EMAIL PROTECTED]; php-general@lists.php.net
Sent: Monday, October 20, 2008 8:25:50 AM
Subject: Re: [PHP] what's the difference in the following code?
At 10:58 AM -0700 10/17/08, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the
top one :-) )?
thanks.
-ll
The problem here is you have to read and understand what the author
is trying to say.
Chris is NOT saying that there is a difference between these two
forms of code. He is saying that one hides the fact that the variable
($search) is tainted while the other makes it more obvious.
The whole point of the first few pages is to show you how a variable
can be tainted and how you can minimize that by following some very
simple rules, one of which was simplicity, which you had problems
following.
With just a little reading, you could have answered your own question.
Cheers,
tedd
how it's so obvious? I can't see it either?
-ll
PS: I'm back
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: [PHP] what's the difference in the following code?
At 6:37 AM -0700 10/20/08, Lamp Lists wrote: - Original Message From: tedd [EMAIL PROTECTED] To: Lamp Lists [EMAIL PROTECTED]; php-general@lists.php.net Sent: Monday, October 20, 2008 8:25:50 AM Subject: Re: [PHP] what's the difference in the following code? At 10:58 AM -0700 10/17/08, Lamp Lists wrote: I'm reading Essential PHP Security by Chris Shiflett. on the very beginning, page 5 6, if I got it correct, he said this is not good: NO, you did not get it correct. how it's so obvious? I can't see it either? -ll Re-read those paragraphs. He was not telling you that one way was better than the other. He WAS saying that one way showed the tainted variable more obvious than the other -- that's all. I hate it when people take things out of context and misquote others. Chris did not say that one way was better, or different, than the other. But rather he used two sets of code to illustrate a point. Again, re-read those paragraphs. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Mon, Oct 20, 2008 at 10:02 AM, tedd [EMAIL PROTECTED] wrote: I hate it when people take things out of context and misquote others. Chris did not say that one way was better, or different, than the other. But rather he used two sets of code to illustrate a point. Welcome back, Grum-pa. Glad to see you're willing to flame people whose first language is not English. ;-P -- /Daniel P. Brown http://www.parasane.net/ [New Look] [EMAIL PROTECTED] || [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
At 10:12 AM -0400 10/20/08, Daniel Brown wrote:
On Mon, Oct 20, 2008 at 10:02 AM, tedd [EMAIL PROTECTED] wrote:
I hate it when people take things out of context and misquote others. Chris
did not say that one way was better, or different, than the other. But
rather he used two sets of code to illustrate a point.
Welcome back, Grum-pa. Glad to see you're willing to flame people
whose first language is not English. ;-P
If he wanted my advice in a different language, then he should have
asked his question in that language. That way I could have ignored
him in mine. Besides, I'm not flaming in his language, so that should
balance out.
In this case, the introduction chapter of Chris' PHP Security clearly
states several things one can do to simplify the task of security.
One of which is to understand that the way you code can hide tainted
variables.
Chris illustrated his tainted point by asking the reader to compare
these two structures:
[1]
$search = isset($_GET['search']) ? $_GET['search'] : '';
[2]
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
He ALSO said that:
-- quote
The approach is identical, but one line draws in particular nows
draws much attention:
$search = $_GET['search'];
Without altering the logic in any way, it is now more obvious whether
$search is tainted and under what conditions.
-- un-quote
Now, instead of the OP getting the point the OP flies off on a
tangent asking us what's the difference in the following code? and
of course the answer is There is no difference. BUT, Chris didn't
say there was, as was implied by the OP in his post.
Sure I can understand language problems, but this thread was started
because the OP couldn't understand a simple concept that was stated
in less than ten (10) sentences. Our collective replies amounted to
more lines than that -- with the obvious language problems the OP has
with the written word, who knows what the OP thinks now.
But the point is that Chris did not say there WAS a difference as was
implied by the OP -- and that was my point.
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
- Original Message
From: tedd [EMAIL PROTECTED]
To: php-general@lists.php.net
Sent: Monday, October 20, 2008 4:15:02 PM
Subject: Re: [PHP] what's the difference in the following code?
At 10:12 AM -0400 10/20/08, Daniel Brown wrote:
On Mon, Oct 20, 2008 at 10:02 AM, tedd [EMAIL PROTECTED] wrote:
I hate it when people take things out of context and misquote others. Chris
did not say that one way was better, or different, than the other. But
rather he used two sets of code to illustrate a point.
Welcome back, Grum-pa. Glad to see you're willing to flame people
whose first language is not English. ;-P
If he wanted my advice in a different language, then he should have
asked his question in that language. That way I could have ignored
him in mine. Besides, I'm not flaming in his language, so that should
balance out.
In this case, the introduction chapter of Chris' PHP Security clearly
states several things one can do to simplify the task of security.
One of which is to understand that the way you code can hide tainted
variables.
Chris illustrated his tainted point by asking the reader to compare
these two structures:
[1]
$search = isset($_GET['search']) ? $_GET['search'] : '';
[2]
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
He ALSO said that:
-- quote
The approach is identical, but one line draws in particular nows
draws much attention:
$search = $_GET['search'];
Without altering the logic in any way, it is now more obvious whether
$search is tainted and under what conditions.
-- un-quote
Now, instead of the OP getting the point the OP flies off on a
tangent asking us what's the difference in the following code? and
of course the answer is There is no difference. BUT, Chris didn't
say there was, as was implied by the OP in his post.
Sure I can understand language problems, but this thread was started
because the OP couldn't understand a simple concept that was stated
in less than ten (10) sentences. Our collective replies amounted to
more lines than that -- with the obvious language problems the OP has
with the written word, who knows what the OP thinks now.
But the point is that Chris did not say there WAS a difference as was
implied by the OP -- and that was my point.
some people just CAN'T understand there are some barriers in languages that
could cause misunderstanding.
true, I didn't understand chris' statement correctly and now, after tedd's
explanation is clear to me. and I thank to him.
though, I hate it (as sombody said) when I always regret to post
question and ask for help because of those arrogant php masters.
if you didn't uderstand, and most likely you didn't, I asked because I had a
problem and asked for help. not to be smart or flame something. I didn't
understand. But you don't KNOW how to answer to people without killing them
or at least slap them.
and using some local shortcuts (OP ?!?) could be rather annoying?
-ll
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: [PHP] what's the difference in the following code?
2008/10/17 Lamp Lists [EMAIL PROTECTED]:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this is not
good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the top one :-)
)?
thanks.
-ll
Chris posts here, you might want to stfa for his address and cc him
the question to the list. Just be sure not to bug him offlist, that is
generally frowned upon.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ä-ö-ü-ß-Ä-Ö-Ü
[PHP] what's the difference in the following code?
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this is not
good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the top one :-) )?
thanks.
-ll
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: [PHP] what's the difference in the following code?
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this is not
good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the top one :-)
)?
They appear to be the same (to me at least). Just remember that you
need to correctly sanitise or quote them before using them in a (for
example) SQL query. For example if $_GET['search'] contains single
quote, (or double quote), your query may break. Ensure you handle that
eventuality too.
--
Richard Heyes
HTML5 Graphing for FF, Chrome, Opera and Safari:
http://www.rgraph.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Fri, Oct 17, 2008 at 1:58 PM, Lamp Lists [EMAIL PROTECTED] wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this is not
good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the top one :-)
)?
thanks.
-ll
In this exact context there's no real difference. But in the real
world when you need to validate that a input value is a number and has
a minimum of X, a maximum of X, then your ternary shortcut will not
cut it.
I still wouldn't write mine either of those ways. Look into
ext/filter [1] or Zend validators [2]. I'm of the school where you
shouldn't sanitize a value, but rather validate it and escape it
appropriately based on usage context. This takes a lot of discipline
can be dangerous if you forget even one spot.
[1] http://us3.php.net/manual/en/function.filter-input.php
[2] http://framework.zend.com/manual/en/zend.validate.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
