php-general Digest 20 Oct 2008 15:28:46 -0000 Issue 5746

Mon, 20 Oct 2008 08:31:38 -0700 

php-general Digest 20 Oct 2008 15:28:46 -0000 Issue 5746

Topics (messages 282123 through 282132):

Re: what's the difference in the following code?
        282123 by: Robert Cummings
        282124 by: Andrew Ballard
        282126 by: tedd
        282127 by: Lamp Lists
        282128 by: tedd
        282129 by: Daniel Brown

Re: Best way to recieve image from url?
        282125 by: Richard Heyes

Re: PHP Dev Facts
        282130 by: Michelle Konzack

Re: how to start using a version control system (subversion)?
        282131 by: Boyd, Todd M.

Re: searching by tags....
        282132 by: Andrew Ballard

Administrivia:

To subscribe to the digest, e-mail:
        [EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
        [EMAIL PROTECTED]

To post to the list, e-mail:
        [EMAIL PROTECTED]


----------------------------------------------------------------------
--- Begin Message --- 
On Sun, 2008-10-19 at 23:02 -0400, Andrew Ballard wrote:
> On Sat, Oct 18, 2008 at 2:34 PM, Robert Cummings <[EMAIL PROTECTED]> wrote:
> >
> > On Sat, 2008-10-18 at 08:44 -0700, Yeti wrote:
> > > I would understand it if it was like this ..
> > >
> > > <?php
> > > $search = isset($_GET['search']) ? $_GET['search'] : '';
> > > # versus
> > > if (isset($_GET['search'])) { $search = $_GET['search']; }
> > > ?>
> > >
> > > In the first statement $search would either be set to $_GET['search']
> > > or an empty string, whereas in the second statement $search would only
> > > be set, if there is a $_GET['search']
> >
> > Wrong. They are equivalent. The second is probably just easier to follow
> > with a clearly defined default value outside the conditional block.
> >
> > Cheers,
> > Rob.
> 
> No, they are not. In the first statement, $search is the value of
> $_GET['search'] if the key exists, or an empty string if it does not.
> In the second statement, $search is the value of $_GET['search'] if
> the key exists or retains its original value if the key does not
> exist.

Yes, I didn't realize Yeti had changed the OP's code which convoluted
the issue since his version wasn't what I was responding to and I didn't
realize he dropped a line from the OP's code.

Cheers,
Rob.
-- 
http://www.interjinn.com
Application and Templating Framework for PHP

--- End Message ---
--- Begin Message --- 
On Sun, Oct 19, 2008 at 11:12 PM, Robert Cummings <[EMAIL PROTECTED]> wrote:
> On Sun, 2008-10-19 at 23:02 -0400, Andrew Ballard wrote:
>> On Sat, Oct 18, 2008 at 2:34 PM, Robert Cummings <[EMAIL PROTECTED]> wrote:
>> >
>> > On Sat, 2008-10-18 at 08:44 -0700, Yeti wrote:
>> > > I would understand it if it was like this ..
>> > >
>> > > <?php
>> > > $search = isset($_GET['search']) ? $_GET['search'] : '';
>> > > # versus
>> > > if (isset($_GET['search'])) { $search = $_GET['search']; }
>> > > ?>
>> > >
>> > > In the first statement $search would either be set to $_GET['search']
>> > > or an empty string, whereas in the second statement $search would only
>> > > be set, if there is a $_GET['search']
>> >
>> > Wrong. They are equivalent. The second is probably just easier to follow
>> > with a clearly defined default value outside the conditional block.
>> >
>> > Cheers,
>> > Rob.
>>
>> No, they are not. In the first statement, $search is the value of
>> $_GET['search'] if the key exists, or an empty string if it does not.
>> In the second statement, $search is the value of $_GET['search'] if
>> the key exists or retains its original value if the key does not
>> exist.
>
> Yes, I didn't realize Yeti had changed the OP's code which convoluted
> the issue since his version wasn't what I was responding to and I didn't
> realize he dropped a line from the OP's code.
>
> Cheers,
> Rob.

Yup. :-)  Those are the ones that get you. Especially when it happens
in actual code and not just a mailing list post.

Andrew

--- End Message ---
--- Begin Message --- 
At 10:58 AM -0700 10/17/08, Lamp Lists wrote:

I'm reading "Essential PHP Security" by Chris Shiflett.
on the very beginning, page 5 & 6, if I got it correct, he said this is not good: 

$search = isset($_GET['search']) ? $_GET['search'] : '';

and this is good:

$search = '';
if (isset($_GET['search']))
{
    $search = $_GET['search'];
}

what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the top one :-) )? 

thanks.

-ll
The problem here is you have to read and understand what the author is trying to say.
Chris is NOT saying that there is a difference between these two forms of code. He is saying that one hides the fact that the variable ($search) is tainted while the other makes it more obvious.
The whole point of the first few pages is to show you how a variable can be tainted and how you can minimize that by following some very simple rules, one of which was simplicity, which you had problems following. 

With just a little reading, you could have answered your own question.

Cheers,

tedd

PS: I'm back
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---
--- Begin Message --- 
----- Original Message ----

From: tedd <[EMAIL PROTECTED]>
To: Lamp Lists <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
Sent: Monday, October 20, 2008 8:25:50 AM
Subject: Re: [PHP] what's the difference in the following code?

At 10:58 AM -0700 10/17/08, Lamp Lists wrote:
>I'm reading "Essential PHP Security" by Chris Shiflett.
>
>on the very beginning, page 5 & 6, if I got it correct, he said this 
>is not good:
>
>$search = isset($_GET['search']) ? $_GET['search'] : '';
>
>and this is good:
>
>$search = '';
>if (isset($_GET['search']))
>{
>     $search = $_GET['search'];
>}
>
>what's the difference? I really can't see?
>to me is more the way you like to write your code (and I like the 
>top one :-) )?
>
>thanks.
>
>-ll


The problem here is you have to read and understand what the author 
is trying to say.

Chris is NOT saying that there is a difference between these two 
forms of code. He is saying that one hides the fact that the variable 
($search) is tainted while the other makes it more obvious.

The whole point of the first few pages is to show you how a variable 
can be tainted and how you can minimize that by following some very 
simple rules, one of which was simplicity, which you had problems 
following.

With just a little reading, you could have answered your own question.

Cheers,

tedd





how it's so obvious? I can't see it either?

-ll




PS: I'm back
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

--- End Message ---
--- Begin Message --- 
At 6:37 AM -0700 10/20/08, Lamp Lists wrote:

----- Original Message ----

From: tedd <[EMAIL PROTECTED]>
To: Lamp Lists <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
Sent: Monday, October 20, 2008 8:25:50 AM
Subject: Re: [PHP] what's the difference in the following code?

At 10:58 AM -0700 10/17/08, Lamp Lists wrote:
 >I'm reading "Essential PHP Security" by Chris Shiflett.



 >on the very beginning, page 5 & 6, if I got it correct, he said this
 >is not good:


NO, you did not get it correct.



how it's so obvious? I can't see it either?

-ll



Re-read those paragraphs.
He was not telling you that one way was better than the other. He WAS saying that one way showed the tainted variable more obvious than the other -- that's all.
I hate it when people take things out of context and misquote others. Chris did not say that one way was better, or different, than the other. But rather he used two sets of code to illustrate a point. 

Again, re-read those paragraphs.

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---
--- Begin Message --- 
On Mon, Oct 20, 2008 at 10:02 AM, tedd <[EMAIL PROTECTED]> wrote:
>
> I hate it when people take things out of context and misquote others. Chris
> did not say that one way was better, or different, than the other. But
> rather he used two sets of code to illustrate a point.

    Welcome back, Grum-pa.  Glad to see you're willing to flame people
whose first language is not English.  ;-P

-- 
</Daniel P. Brown>
http://www.parasane.net/ [New Look]
[EMAIL PROTECTED] || [EMAIL PROTECTED]

--- End Message ---
--- Begin Message --- 
> ...

You could read it progressively using fopen(), fread() et al.
Probably. This would mean only a small amount of data is read by yours
erver at once. Eg:

$rp = fopen('http:www.example.com/title.png', 'r');
$wp = fopen('mylocalfile', 'w');

while ($block = fread($rp, 8192)) { // 8k block size
    fwrite($wp, $block);
}

fclose($rp);
fclose($wp);

>From memory. Something like that. Fopen() modes may need tweaking.

-- 
Richard Heyes

HTML5 Graphing for FF, Chrome, Opera and Safari:
http://www.rgraph.org

--- End Message ---
--- Begin Message --- 
Am 2008-10-17 00:14:18, schrieb Nathan Rixham:
> Evening All,
> 
> I'd be /really/ interested to know who uses what!
> 
> *Procedural or OOP?*

OOP

> *Dev OS*

Debian GNU/Linux Etch/Testing/Unstable

> *Dev PHP Version*

5.2.0-8+etch10

> *Live Server OS*

Debian GNU/Linux Etch

> *Live Server PHP Version*

5.2.0-8+etch10

> *Which HTTP Server Software (+version)?*

apache2 2.2.3-4+etch4

> *IDE / Dev Environment*

Midnight Comander

> *Preferred Framework(s)?*

My own

> *Do you Unit Test?*

Is this something to eat

> *Most Used Internal PHP Class*
> 
> *Preferred OS CMS*

My own

> *Anything else you use frequently in you're PHP'ing that's worth 
> mentioning:*

PostgreSQL 8.3.4-2

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
+49/177/9351947    50, rue de Soultz         MSN LinuxMichi
+33/6/61925193     67100 Strasbourg/France   IRC #Debian (irc.icq.com)

Attachment: signature.pgp
Description: Digital signature


--- End Message ---
--- Begin Message --- 
> -----Original Message-----
> From: Rene Veerman [mailto:[EMAIL PROTECTED]
> Sent: Sunday, October 19, 2008 6:12 AM
> To: [EMAIL PROTECTED]
> Subject: [PHP] how to start using a version control system
> (subversion)?
> 
> Apologies for posting a monthly/yearly recurring theme here..
> If someone can add links to previous discussions relating to the same,
> that could help too.

Rather than apologize, you could just search the PHP-General archives:

http://marc.info/?l=php-general


Todd Boyd
Web Programmer

--- End Message ---
--- Begin Message --- 
On Sun, Oct 19, 2008 at 10:34 AM, Martin ZvarĂ­k <[EMAIL PROTECTED]> wrote:
> Ryan S napsal(a):
>>
>> Hey,
>>
>> this the first time I am actually working with "tags" but it seems quite
>> popular and am adding it on a clients requests.
>>
>> By tags I mean something like wordpress' implementation of it, for example
>> when an author writes an article on babies the tags might be
>> baby,babies, new borns, cribs, nappies
>>
>> or a picture of a baby can have the tags
>> baby,babies, new born, cute kid, nappies
>>
>> the tags are comma separated above of course.
>>
>> The way i am doing it right now is i have sayyyy an article or a pic saved
>> in the db as article_or_pic_address text
>> the_tags varchar(240)
>>
>> My question is, when someone clicks on any one of the tags, do i do a
>>  LIKE %search_term% search or...???
>>
[snip]
>>
>> Any help in the form of advise, code or links would be appreciated.
>>
>> TIA.
>>
>> Cheers!
>> Ryan
>
> The main point here is WHAT SHOULD BE THE BEST DB STRUCTURE.
>
[snip]
>
> To the TOPIC: I think normalization would be a killer.
> Imagine joining 3 tables (I really don't see more functionality here) OR
> just selecting from 1.
>

Selecting from 3 properly indexed and joined tables should generally
be better than using LIKE '%tag%' from one table if you've got more
than a little data in your table. The latter cannot use an index
because of the opening wildcard, so once your table gets big enough
that queries using indexes begin to out perform table scans, approach
will lose. Yes, there is overhead involved in joining tables, but
RDBMS are built for managing joins between sets of related data. If
you give that up, you might as well skip the overhead of the database
entirely and use a flat file.

Setting raw performance aside, joins also offer other benefits. If you
allow people to search on multiple tags, a joined query can tell you
how many tags each returned item matched in the original query. The
joined approach also allows your tags to intelligently differentiate
between 'men' and 'women'. :-)

Andrew

--- End Message ---

Reply via email to