Hi everybody! Two things I consider urban myths about PHP (plus MySQL) - please let me know what you think of these:
1. The evil global variables Ok, the classic <? if ($pwd=="GOODPASSWORD") { $lethimin=1; } [bullshit code] if ($lethimin) { echo(fread(fopen("/etc/passwd","r"))); } ?> is obviously valid. But let's be serious, who codes this? The example code is valid and it's easily crackable indeed, but you don't do that kind of thing - you do it in one step. Even if you really need the bullshit code in there for some obscure reason, this is the log in code damnit, anybody takes care of that! Why I raised this issue is because I think people tend to get paranoid about PHP. And that happens in both worlds - customers and developers. Nothing to say about customers, I'd be careful too if I heard some dude got intoxicated at a McDonald's in Bogota. My problem is with developers - they got it in their head that variables are your enemy and initialize everything nowadays - including local variables! My question to you guys is this: does anybody know of a real example of reasonably careful coding led to disaster with global variables? 2. Please enter your age: 25; drop database mysql Does this actually work? I've read at least a dozen articles telling people to get it in their blood not to trust users and addslashes to any king incoming data, as well as pass it as strings to mysql ("insert into person set age='$age'" instead of "insert into person set age =$age). So I decided I had to test this: I wrote the code exactly as in the example; I provided the exact dangerous input (well, to be honest, I tried a select instead of drop mysql). When I tried it, the presumably dangerous situation degraded into a trivial MySQL error. It went something like "You have an error near '; select 1+1'". Did you ever actually try this? Does it work on your system? Thanks in advance for the input! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]