----- Original Message ----
From: tedd <tedd.sperling@xxxxxxxxx>
To: Lamp Lists <lamp.lists@xxxxxxxxx>; php-general@xxxxxxxxxxxxx
Sent: Monday, October 20, 2008 8:25:50 AM
Subject: Re: what's the difference in the following code?
At 10:58 AM -0700 10/17/08, Lamp Lists wrote:
>I'm reading "Essential PHP Security" by Chris Shiflett.
>
>on the very beginning, page 5 & 6, if I got it correct, he said this
>is not good:
>
>$search = isset($_GET['search']) ? $_GET['search'] : '';
>
>and this is good:
>
>$search = '';
>if (isset($_GET['search']))
>{
> $search = $_GET['search'];
>}
>
>what's the difference? I really can't see?
>to me is more the way you like to write your code (and I like the
>top one :-) )?
>
>thanks.
>
>-ll
The problem here is you have to read and understand what the author
is trying to say.
Chris is NOT saying that there is a difference between these two
forms of code. He is saying that one hides the fact that the variable
($search) is tainted while the other makes it more obvious.
The whole point of the first few pages is to show you how a variable
can be tainted and how you can minimize that by following some very
simple rules, one of which was simplicity, which you had problems
following.
With just a little reading, you could have answered your own question.
Cheers,
tedd
how it's so obvious? I can't see it either?
-ll
PS: I'm back
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
