----- Original Message ---- From: tedd <tedd.sperling@xxxxxxxxx> To: Lamp Lists <lamp.lists@xxxxxxxxx>; php-general@xxxxxxxxxxxxx Sent: Monday, October 20, 2008 8:25:50 AM Subject: Re: what's the difference in the following code? At 10:58 AM -0700 10/17/08, Lamp Lists wrote: >I'm reading "Essential PHP Security" by Chris Shiflett. > >on the very beginning, page 5 & 6, if I got it correct, he said this >is not good: > >$search = isset($_GET['search']) ? $_GET['search'] : ''; > >and this is good: > >$search = ''; >if (isset($_GET['search'])) >{ > $search = $_GET['search']; >} > >what's the difference? I really can't see? >to me is more the way you like to write your code (and I like the >top one :-) )? > >thanks. > >-ll The problem here is you have to read and understand what the author is trying to say. Chris is NOT saying that there is a difference between these two forms of code. He is saying that one hides the fact that the variable ($search) is tainted while the other makes it more obvious. The whole point of the first few pages is to show you how a variable can be tainted and how you can minimize that by following some very simple rules, one of which was simplicity, which you had problems following. With just a little reading, you could have answered your own question. Cheers, tedd how it's so obvious? I can't see it either? -ll PS: I'm back -- ------- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com