On Fri, Oct 17, 2008 at 1:58 PM, Lamp Lists <lamp.lists@xxxxxxxxx> wrote:
> I'm reading "Essential PHP Security" by Chris Shiflett.
>
> on the very beginning, page 5 & 6, if I got it correct, he said this is not good:
>
> $search = isset($_GET['search']) ? $_GET['search'] : '';
>
> and this is good:
>
> $search = '';
> if (isset($_GET['search']))
> {
> $search = $_GET['search'];
> }
>
> what's the difference? I really can't see?
> to me is more the way you like to write your code (and I like the top one :-) )?
>
> thanks.
>
> -ll
In this exact context there's no real difference. But in the real
world when you need to validate that a input value is a number and has
a minimum of X, a maximum of X, then your ternary shortcut will not
cut it.
I still wouldn't write mine either of those ways. Look into
ext/filter [1] or Zend validators [2]. I'm of the school where you
shouldn't sanitize a value, but rather validate it and escape it
appropriately based on usage context. This takes a lot of discipline
& can be dangerous if you forget even one spot.
[1] http://us3.php.net/manual/en/function.filter-input.php
[2] http://framework.zend.com/manual/en/zend.validate.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
