At 10:58 AM -0700 10/17/08, Lamp Lists wrote:
I'm reading "Essential PHP Security" by Chris Shiflett.
on the very beginning, page 5 & 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the
top one :-) )?
thanks.
-ll
The problem here is you have to read and understand what the author
is trying to say.
Chris is NOT saying that there is a difference between these two
forms of code. He is saying that one hides the fact that the variable
($search) is tainted while the other makes it more obvious.
The whole point of the first few pages is to show you how a variable
can be tainted and how you can minimize that by following some very
simple rules, one of which was simplicity, which you had problems
following.
With just a little reading, you could have answered your own question.
Cheers,
tedd
PS: I'm back
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
