Re: what's the difference in the following code?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 10:12 AM -0400 10/20/08, Daniel Brown wrote:

On Mon, Oct 20, 2008 at 10:02 AM, tedd <tedd.sperling@xxxxxxxxx> wrote:


 I hate it when people take things out of context and misquote others. Chris
 did not say that one way was better, or different, than the other. But
 rather he used two sets of code to illustrate a point.


    Welcome back, Grum-pa.  Glad to see you're willing to flame people
whose first language is not English.  ;-P
If he wanted my advice in a different language, then he should have asked his question in that language. That way I could have ignored him in mine. Besides, I'm not flaming in his language, so that should balance out.
In this case, the introduction chapter of Chris' PHP Security clearly states several things one can do to simplify the task of security. One of which is to understand that the way you code can hide tainted variables.
Chris illustrated his "tainted" point by asking the reader to compare these two structures: 

[1]

$search = isset($_GET['search']) ? $_GET['search'] : '';

[2]

$search = '';
if (isset($_GET['search']))
   {
   $search = $_GET['search'];
   }

He ALSO said that:

-- quote
"The approach is identical, but one line draws in particular nows draws much attention: 

 $search = $_GET['search'];
Without altering the logic in any way, it is now more obvious whether $search is tainted and under what conditions." 

-- un-quote
Now, instead of the OP getting the point the OP flies off on a tangent asking us "what's the difference in the following code?" and of course the answer is "There is no difference." BUT, Chris didn't say there was, as was implied by the OP in his post.
Sure I can understand language problems, but this thread was started because the OP couldn't understand a simple concept that was stated in less than ten (10) sentences. Our collective replies amounted to more lines than that -- with the obvious language problems the OP has with the written word, who knows what the OP thinks now.
But the point is that Chris did not say there WAS a difference as was implied by the OP -- and that was my point. 

Cheers,

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux