Re: [PHP] what's the difference in the following code?
On Oct 23, 2008, at 2:10 PM, Jochem Maas wrote: The order is reversed, so if $host has a non-zero length, it is not escaped. first thing that I noticed, second wondering why no charset was specified, thirdly was wondering why it's not plain: $host = htmlentities($host); but nonetheless your point stands, :-) Yeah, fair enough. To my credit, I also noticed the problem without spending more than a second or two on that line, but I also recognized how it could be missed. To me, it's similar to missing when someone calls a functions and gets the order of arguments wrong. You can tell what they meant, so the error doesn't stand out as boldly. Perhaps subconsciously you anticipate that they're right, because in most of the code, they are. The challenge of being perfect is why I've developed a number of tools to help me out. I'm going to release one of the best of these as open source in a few months. I might mention that on this list, since it seems appropriate. Hopefully no one will mind the "advertising" too much. :-) now about that charset ... your blog post uses UTF-7 to demonstrate the potential for problems ... but htmlentities() doesn't support that charset, or at least not according to the docs, in fact the list of supported charsets is quite limited, out of curiosity what would your recommendation be if one is faced with a having 'htmlentize' a string encoded in UTF-7 or some other charset not supported by htmlentities()? That's a good question. I would probably convert it to something like UTF-8, escape it, then convert it back. I've never faced this situation, and the scenario I was recreating in my post was when someone attacked Google using UTF-7. Google didn't actually want to support that character encoding. If you specify ISO-8859-1 in your Content-Type header, it's actually fine to omit the character encoding in htmlentities(), because it uses that by default. (Also, not all mismatches are exploitable.) However, it always catches my eye, because it demonstrates a lax treatment of character encoding in general. I like to see it explicitly declared everywhere. a second question: strip_tags() doesn't have a charset parameter, how does it manage to cope without knowing the input string encoding? or does it not and is it actually vulnerable to maliciously encoded input? My guess would be that it doesn't cope. :-) I never use strip_tags(), so someone else might be able to offer a much better answer. Hope that helps, and thanks for the discussion. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
>The difference between the examples are still nothing, it do the same. >But I never use the short version of if, because when I look after some month >in some projects I have a better overview when there is a long if , its much >easier to extend. As explained a couple of times already - there is not supposed to be a difference. It's about security and making code maintainance easier. [quote to Chris's former post] (..) imagine you're manually reviewing a colleague's code, and you're looking through a few thousand lines to try to help identify security problems. (..) [end quote] It's the old "What's good code and what's bad code?" discussion. In this case ternary operations are bad code. >sorry for my bad english Die Code tun nicht Unterschiede in Execution. Es ist Sicherheits Frage. sorry for my bad German //A yeti -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote: I'm reading "Essential PHP Security" by Chris Shiflett. on the very beginning, page 5 & 6, if I got it correct, he said this is not good: $search = isset($_GET['search']) ? $_GET['search'] : ''; and this is good: $search = ''; if (isset($_GET['search'])) { $search = $_GET['search']; } what's the difference? I really can't see? The difference between the examples are still nothing, it do the same. But I never use the short version of if, because when I look after some month in some projects I have a better overview when there is a long if , its much easier to extend. sorry for my bad english greetz Thomas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
Chris Shiflett schreef: > On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote: > >> I'm reading "Essential PHP Security" by Chris Shiflett. >> >> on the very beginning, page 5 & 6, if I got it correct, he said this >> is not good: >> >> $search = isset($_GET['search']) ? $_GET['search'] : ''; >> >> and this is good: >> >> $search = ''; >> if (isset($_GET['search'])) >> { >>$search = $_GET['search']; >> } >> >> what's the difference? I really can't see? > > I believe I was trying to emphasize how simple, obvious code can be a > boon to security. I'm sure I could have picked a better example, but let > me show you a line of code I noticed in a security audit just yesterday > (only the variable name has been changed to be generic): > > $host = strlen($host) > 0 ? $host : htmlentities($host); > > We have developed tools to help us find things like this, but imagine > you're manually reviewing a colleague's code, and you're looking through > a few thousand lines to try to help identify security problems. > > In this particular example, my first thought was to suggest specifying > the character encoding when using htmlentities(), and making sure this > matches the Content-Type header, to avoid things like this: > > http://shiflett.org/blog/2005/dec/google-xss-example > > You might also be distracted by the comparison of strlen() to 0, since > it seems like you could simply rely on a boolean evaluation of strlen() > instead. > > Can you spot the bigger problem? > > The order is reversed, so if $host has a non-zero length, it is not > escaped. first thing that I noticed, second wondering why no charset was specified, thirdly was wondering why it's not plain: $host = htmlentities($host); but nonetheless your point stands, :-) now about that charset ... your blog post uses UTF-7 to demonstrate the potential for problems ... but htmlentities() doesn't support that charset, or at least not according to the docs, in fact the list of supported charsets is quite limited, out of curiosity what would your recommendation be if one is faced with a having 'htmlentize' a string encoded in UTF-7 or some other charset not supported by htmlentities() ? a second question: strip_tags() doesn't have a charset parameter, how does it manage to cope without knowing the input string encoding? or does it not and is it actually vulnerable to maliciously encoded input? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
At 11:00 AM -0400 10/23/08, Chris Shiflett wrote: On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote: I'm reading "Essential PHP Security" by Chris Shiflett. on the very beginning, page 5 & 6, if I got it correct, he said this is not good: $search = isset($_GET['search']) ? $_GET['search'] : ''; and this is good: $search = ''; if (isset($_GET['search'])) { $search = $_GET['search']; } what's the difference? I really can't see? I believe I was trying to emphasize how simple, obvious code can be a boon to security. That's the way I read what you wrote and your example was fine with me. The problem here is that the OP simply misunderstood what you were trying to convey. Because of a language problem, he did not realize that you were simply showing how a tainted variable could "stand-out" in one set of code while being obscured in another. Instead, he thought you were saying that one method was secure and the other wasn't and wanted to have someone explain the difference. I did my best to convey what I thought you were saying, but all clarifications lead to more confusion. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Thu, 2008-10-23 at 11:00 -0400, Chris Shiflett wrote: > On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote: > > > I'm reading "Essential PHP Security" by Chris Shiflett. > > > > on the very beginning, page 5 & 6, if I got it correct, he said this > > is not good: > > > > $search = isset($_GET['search']) ? $_GET['search'] : ''; > > > > and this is good: > > > > $search = ''; > > if (isset($_GET['search'])) > > { > >$search = $_GET['search']; > > } > > > > what's the difference? I really can't see? > > I believe I was trying to emphasize how simple, obvious code can be a > boon to security. I'm sure I could have picked a better example, but > let me show you a line of code I noticed in a security audit just > yesterday (only the variable name has been changed to be generic): > > $host = strlen($host) > 0 ? $host : htmlentities($host); > > We have developed tools to help us find things like this, but imagine > you're manually reviewing a colleague's code, and you're looking > through a few thousand lines to try to help identify security problems. > > In this particular example, my first thought was to suggest specifying > the character encoding when using htmlentities(), and making sure this > matches the Content-Type header, to avoid things like this: > > http://shiflett.org/blog/2005/dec/google-xss-example > > You might also be distracted by the comparison of strlen() to 0, since > it seems like you could simply rely on a boolean evaluation of > strlen() instead. > > Can you spot the bigger problem? > > The order is reversed, so if $host has a non-zero length, it is not > escaped. That was the first thing I noticed. What I still don't understand is why bother with the strlen? An empty string marked up with htmlentities() is still an empty string. Now the code has two functions invoked when the string is non-empty rather than one... htmlentities(). Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote: I'm reading "Essential PHP Security" by Chris Shiflett. on the very beginning, page 5 & 6, if I got it correct, he said this is not good: $search = isset($_GET['search']) ? $_GET['search'] : ''; and this is good: $search = ''; if (isset($_GET['search'])) { $search = $_GET['search']; } what's the difference? I really can't see? I believe I was trying to emphasize how simple, obvious code can be a boon to security. I'm sure I could have picked a better example, but let me show you a line of code I noticed in a security audit just yesterday (only the variable name has been changed to be generic): $host = strlen($host) > 0 ? $host : htmlentities($host); We have developed tools to help us find things like this, but imagine you're manually reviewing a colleague's code, and you're looking through a few thousand lines to try to help identify security problems. In this particular example, my first thought was to suggest specifying the character encoding when using htmlentities(), and making sure this matches the Content-Type header, to avoid things like this: http://shiflett.org/blog/2005/dec/google-xss-example You might also be distracted by the comparison of strlen() to 0, since it seems like you could simply rely on a boolean evaluation of strlen() instead. Can you spot the bigger problem? The order is reversed, so if $host has a non-zero length, it is not escaped. When spending mere seconds per line, on average, reviewing a lot of code, this is exactly the sort of thing that's not that hard to miss. The real question is whether it would be slightly harder to miss if expanded: if (strlen($host) > 0) { $host = $host; } else { $host = htmlentities($host); } I think it's much less likely to be overlooked when written like this, and this is the sort of decision that many developers take for granted. If you're too proud to admit that the ternary is less obvious, or too proud to admit that you could ever make a mistake like this, maybe you can at least convince yourself that not everyone is as clever as you, and code that is easier to review is ultimately going to be better code. Hope that helps, Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
At 2:44 AM -0700 10/21/08, Yeti wrote: Somebody please tell me that I do not have to rewrite my code base now, since I care about security. You do not have to rewrite your code because you use ternary operators! Nobody said that. Again, Chris was not saying that it was the use of the operator that was a security issue, but rather its use could obscure the fact that the operator, as in the case he provided, could produce a tainted variable. Perhaps I've confused what Chris tried to say -- so, I suggest that everyone who is interested in arguing this point further buy Chris' book and read it for themselves. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
tedd schreef: > At 6:37 AM -0700 10/20/08, Lamp Lists wrote: >> - Original Message >> >> From: tedd <[EMAIL PROTECTED]> >> To: Lamp Lists <[EMAIL PROTECTED]>; php-general@lists.php.net >> Sent: Monday, October 20, 2008 8:25:50 AM >> Subject: Re: [PHP] what's the difference in the following code? >> >> At 10:58 AM -0700 10/17/08, Lamp Lists wrote: >> >I'm reading "Essential PHP Security" by Chris Shiflett. >>> >> >on the very beginning, page 5 & 6, if I got it correct, he said this >> >is not good: > > NO, you did not get it correct. > > >> how it's so obvious? I can't see it either? >> >> -ll > > > Re-read those paragraphs. > > He was not telling you that one way was better than the other. He WAS > saying that one way showed the tainted variable more obvious than the > other -- that's all. > > I hate it when people take things out of context and misquote others. > Chris did not say that one way was better, or different, than the other. > But rather he used two sets of code to illustrate a point. seems to me the point being illustrates is not at all objective in it's premise. I find the the ternary syntax easier to read/grok than the 3 liner. in both cases you need to understand the 'if' context to see when the variable is tainted. all that can be said is that one way is more obvious that the other to *Chris*, which doesn't do anybody but Chris much good ... obviously it's a rather silly point ... the useful parts of Chris' work revolve around where he explains *how* to validate/cleanse the tainted value ... extracting the goodness is a matter of evaluating and possibly disregarding statements/information which are secondary and/or irrelevant. > > Again, re-read those paragraphs. > > Cheers, > > tedd > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
OP = original poster (in this case I guess) http://acronyms.thefreedictionary.com/OP So it's all about making code readable and probably easier to maintain (even people unfamiliar with the script). Doesn't that render the ternary operator IF-statement unnecessary? Have I been totally wrong using it in countless scripts of mine (always thought it's a neat way to do if )? Somebody please tell me that I do not have to rewrite my code base now, since I care about security. Btw. PHP's ternary inconsistency here .. http://en.wikipedia.org/wiki/%3F:#Inconsistency_of_implementations And how about this .. switch(isset($_GET['search'])) { case true: $search = $_GET['search']; break 1; default: $search = ''; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
- Original Message From: tedd <[EMAIL PROTECTED]> To: php-general@lists.php.net Sent: Monday, October 20, 2008 4:15:02 PM Subject: Re: [PHP] what's the difference in the following code? At 10:12 AM -0400 10/20/08, Daniel Brown wrote: >On Mon, Oct 20, 2008 at 10:02 AM, tedd <[EMAIL PROTECTED]> wrote: >> >> I hate it when people take things out of context and misquote others. Chris >> did not say that one way was better, or different, than the other. But >> rather he used two sets of code to illustrate a point. > > Welcome back, Grum-pa. Glad to see you're willing to flame people >whose first language is not English. ;-P If he wanted my advice in a different language, then he should have asked his question in that language. That way I could have ignored him in mine. Besides, I'm not flaming in his language, so that should balance out. In this case, the introduction chapter of Chris' PHP Security clearly states several things one can do to simplify the task of security. One of which is to understand that the way you code can hide tainted variables. Chris illustrated his "tainted" point by asking the reader to compare these two structures: [1] $search = isset($_GET['search']) ? $_GET['search'] : ''; [2] $search = ''; if (isset($_GET['search'])) { $search = $_GET['search']; } He ALSO said that: -- quote "The approach is identical, but one line draws in particular nows draws much attention: $search = $_GET['search']; Without altering the logic in any way, it is now more obvious whether $search is tainted and under what conditions." -- un-quote Now, instead of the OP getting the point the OP flies off on a tangent asking us "what's the difference in the following code?" and of course the answer is "There is no difference." BUT, Chris didn't say there was, as was implied by the OP in his post. Sure I can understand language problems, but this thread was started because the OP couldn't understand a simple concept that was stated in less than ten (10) sentences. Our collective replies amounted to more lines than that -- with the obvious language problems the OP has with the written word, who knows what the OP thinks now. But the point is that Chris did not say there WAS a difference as was implied by the OP -- and that was my point. some people just CAN'T understand there are some barriers in languages that could cause misunderstanding. true, I didn't understand chris' statement correctly and now, after tedd's explanation is clear to me. and I thank to him. though, "I hate it" (as sombody said) when I always regret to post question and ask for help because of those arrogant "php masters". if you didn't uderstand, and most likely you didn't, I asked because I had a problem and asked for help. not to be smart or flame something. I didn't understand. But you don't KNOW how to answer to people without "killing" them or at least slap them. and using some "local" shortcuts (OP ?!?) could be rather annoying? -ll Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [PHP] what's the difference in the following code?
At 10:12 AM -0400 10/20/08, Daniel Brown wrote: On Mon, Oct 20, 2008 at 10:02 AM, tedd <[EMAIL PROTECTED]> wrote: I hate it when people take things out of context and misquote others. Chris did not say that one way was better, or different, than the other. But rather he used two sets of code to illustrate a point. Welcome back, Grum-pa. Glad to see you're willing to flame people whose first language is not English. ;-P If he wanted my advice in a different language, then he should have asked his question in that language. That way I could have ignored him in mine. Besides, I'm not flaming in his language, so that should balance out. In this case, the introduction chapter of Chris' PHP Security clearly states several things one can do to simplify the task of security. One of which is to understand that the way you code can hide tainted variables. Chris illustrated his "tainted" point by asking the reader to compare these two structures: [1] $search = isset($_GET['search']) ? $_GET['search'] : ''; [2] $search = ''; if (isset($_GET['search'])) { $search = $_GET['search']; } He ALSO said that: -- quote "The approach is identical, but one line draws in particular nows draws much attention: $search = $_GET['search']; Without altering the logic in any way, it is now more obvious whether $search is tainted and under what conditions." -- un-quote Now, instead of the OP getting the point the OP flies off on a tangent asking us "what's the difference in the following code?" and of course the answer is "There is no difference." BUT, Chris didn't say there was, as was implied by the OP in his post. Sure I can understand language problems, but this thread was started because the OP couldn't understand a simple concept that was stated in less than ten (10) sentences. Our collective replies amounted to more lines than that -- with the obvious language problems the OP has with the written word, who knows what the OP thinks now. But the point is that Chris did not say there WAS a difference as was implied by the OP -- and that was my point. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
On Mon, Oct 20, 2008 at 10:02 AM, tedd <[EMAIL PROTECTED]> wrote: > > I hate it when people take things out of context and misquote others. Chris > did not say that one way was better, or different, than the other. But > rather he used two sets of code to illustrate a point. Welcome back, Grum-pa. Glad to see you're willing to flame people whose first language is not English. ;-P -- http://www.parasane.net/ [New Look] [EMAIL PROTECTED] || [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
At 6:37 AM -0700 10/20/08, Lamp Lists wrote: - Original Message From: tedd <[EMAIL PROTECTED]> To: Lamp Lists <[EMAIL PROTECTED]>; php-general@lists.php.net Sent: Monday, October 20, 2008 8:25:50 AM Subject: Re: [PHP] what's the difference in the following code? At 10:58 AM -0700 10/17/08, Lamp Lists wrote: >I'm reading "Essential PHP Security" by Chris Shiflett. >on the very beginning, page 5 & 6, if I got it correct, he said this >is not good: NO, you did not get it correct. how it's so obvious? I can't see it either? -ll Re-read those paragraphs. He was not telling you that one way was better than the other. He WAS saying that one way showed the tainted variable more obvious than the other -- that's all. I hate it when people take things out of context and misquote others. Chris did not say that one way was better, or different, than the other. But rather he used two sets of code to illustrate a point. Again, re-read those paragraphs. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
- Original Message From: tedd <[EMAIL PROTECTED]> To: Lamp Lists <[EMAIL PROTECTED]>; php-general@lists.php.net Sent: Monday, October 20, 2008 8:25:50 AM Subject: Re: [PHP] what's the difference in the following code? At 10:58 AM -0700 10/17/08, Lamp Lists wrote: >I'm reading "Essential PHP Security" by Chris Shiflett. > >on the very beginning, page 5 & 6, if I got it correct, he said this >is not good: > >$search = isset($_GET['search']) ? $_GET['search'] : ''; > >and this is good: > >$search = ''; >if (isset($_GET['search'])) >{ > $search = $_GET['search']; >} > >what's the difference? I really can't see? >to me is more the way you like to write your code (and I like the >top one :-) )? > >thanks. > >-ll The problem here is you have to read and understand what the author is trying to say. Chris is NOT saying that there is a difference between these two forms of code. He is saying that one hides the fact that the variable ($search) is tainted while the other makes it more obvious. The whole point of the first few pages is to show you how a variable can be tainted and how you can minimize that by following some very simple rules, one of which was simplicity, which you had problems following. With just a little reading, you could have answered your own question. Cheers, tedd how it's so obvious? I can't see it either? -ll PS: I'm back -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [PHP] what's the difference in the following code?
At 10:58 AM -0700 10/17/08, Lamp Lists wrote: I'm reading "Essential PHP Security" by Chris Shiflett. on the very beginning, page 5 & 6, if I got it correct, he said this is not good: $search = isset($_GET['search']) ? $_GET['search'] : ''; and this is good: $search = ''; if (isset($_GET['search'])) { $search = $_GET['search']; } what's the difference? I really can't see? to me is more the way you like to write your code (and I like the top one :-) )? thanks. -ll The problem here is you have to read and understand what the author is trying to say. Chris is NOT saying that there is a difference between these two forms of code. He is saying that one hides the fact that the variable ($search) is tainted while the other makes it more obvious. The whole point of the first few pages is to show you how a variable can be tainted and how you can minimize that by following some very simple rules, one of which was simplicity, which you had problems following. With just a little reading, you could have answered your own question. Cheers, tedd PS: I'm back -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
2008/10/17 Lamp Lists <[EMAIL PROTECTED]>: > I'm reading "Essential PHP Security" by Chris Shiflett. > > on the very beginning, page 5 & 6, if I got it correct, he said this is not > good: > > $search = isset($_GET['search']) ? $_GET['search'] : ''; > > and this is good: > > $search = ''; > if (isset($_GET['search'])) > { >$search = $_GET['search']; > } > > what's the difference? I really can't see? > to me is more the way you like to write your code (and I like the top one :-) > )? > > thanks. > > -ll > Chris posts here, you might want to stfa for his address and cc him the question to the list. Just be sure not to bug him offlist, that is generally frowned upon. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ä-ö-ü-ß-Ä-Ö-Ü
Re: [PHP] what's the difference in the following code?
On Fri, Oct 17, 2008 at 1:58 PM, Lamp Lists <[EMAIL PROTECTED]> wrote: > I'm reading "Essential PHP Security" by Chris Shiflett. > > on the very beginning, page 5 & 6, if I got it correct, he said this is not > good: > > $search = isset($_GET['search']) ? $_GET['search'] : ''; > > and this is good: > > $search = ''; > if (isset($_GET['search'])) > { >$search = $_GET['search']; > } > > what's the difference? I really can't see? > to me is more the way you like to write your code (and I like the top one :-) > )? > > thanks. > > -ll In this exact context there's no real difference. But in the real world when you need to validate that a input value is a number and has a minimum of X, a maximum of X, then your ternary shortcut will not cut it. I still wouldn't write mine either of those ways. Look into ext/filter [1] or Zend validators [2]. I'm of the school where you shouldn't sanitize a value, but rather validate it and escape it appropriately based on usage context. This takes a lot of discipline & can be dangerous if you forget even one spot. [1] http://us3.php.net/manual/en/function.filter-input.php [2] http://framework.zend.com/manual/en/zend.validate.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's the difference in the following code?
> I'm reading "Essential PHP Security" by Chris Shiflett. > > on the very beginning, page 5 & 6, if I got it correct, he said this is not > good: > > $search = isset($_GET['search']) ? $_GET['search'] : ''; > > and this is good: > > $search = ''; > if (isset($_GET['search'])) > { >$search = $_GET['search']; > } > > what's the difference? I really can't see? > to me is more the way you like to write your code (and I like the top one :-) > )? They appear to be the same (to me at least). Just remember that you need to correctly sanitise or quote them before using them in a (for example) SQL query. For example if $_GET['search'] contains single quote, (or double quote), your query may break. Ensure you handle that eventuality too. -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php