> I'm reading "Essential PHP Security" by Chris Shiflett.
>
> on the very beginning, page 5 & 6, if I got it correct, he said this is not good:
>
> $search = isset($_GET['search']) ? $_GET['search'] : '';
>
> and this is good:
>
> $search = '';
> if (isset($_GET['search']))
> {
> $search = $_GET['search'];
> }
>
> what's the difference? I really can't see?
> to me is more the way you like to write your code (and I like the top one :-) )?
They appear to be the same (to me at least). Just remember that you
need to correctly sanitise or quote them before using them in a (for
example) SQL query. For example if $_GET['search'] contains single
quote, (or double quote), your query may break. Ensure you handle that
eventuality too.
--
Richard Heyes
HTML5 Graphing for FF, Chrome, Opera and Safari:
http://www.rgraph.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
