----- Original Message ----
From: tedd <tedd.sperling@xxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Sent: Monday, October 20, 2008 4:15:02 PM
Subject: Re: what's the difference in the following code?
At 10:12 AM -0400 10/20/08, Daniel Brown wrote:
>On Mon, Oct 20, 2008 at 10:02 AM, tedd <tedd.sperling@xxxxxxxxx> wrote:
>>
>> I hate it when people take things out of context and misquote others. Chris
>> did not say that one way was better, or different, than the other. But
>> rather he used two sets of code to illustrate a point.
>
> Welcome back, Grum-pa. Glad to see you're willing to flame people
>whose first language is not English. ;-P
If he wanted my advice in a different language, then he should have
asked his question in that language. That way I could have ignored
him in mine. Besides, I'm not flaming in his language, so that should
balance out.
In this case, the introduction chapter of Chris' PHP Security clearly
states several things one can do to simplify the task of security.
One of which is to understand that the way you code can hide tainted
variables.
Chris illustrated his "tainted" point by asking the reader to compare
these two structures:
[1]
$search = isset($_GET['search']) ? $_GET['search'] : '';
[2]
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
He ALSO said that:
-- quote
"The approach is identical, but one line draws in particular nows
draws much attention:
$search = $_GET['search'];
Without altering the logic in any way, it is now more obvious whether
$search is tainted and under what conditions."
-- un-quote
Now, instead of the OP getting the point the OP flies off on a
tangent asking us "what's the difference in the following code?" and
of course the answer is "There is no difference." BUT, Chris didn't
say there was, as was implied by the OP in his post.
Sure I can understand language problems, but this thread was started
because the OP couldn't understand a simple concept that was stated
in less than ten (10) sentences. Our collective replies amounted to
more lines than that -- with the obvious language problems the OP has
with the written word, who knows what the OP thinks now.
But the point is that Chris did not say there WAS a difference as was
implied by the OP -- and that was my point.
some people just CAN'T understand there are some barriers in languages that could cause misunderstanding.
true, I didn't understand chris' statement correctly and now, after tedd's explanation is clear to me. and I thank to him.
though, "I hate it" (as sombody said) when I always regret to post
question and ask for help because of those arrogant "php masters".
if you didn't uderstand, and most likely you didn't, I asked because I had a problem and asked for help. not to be smart or flame something. I didn't understand. But you don't KNOW how to answer to people without "killing" them or at least slap them.
and using some "local" shortcuts (OP ?!?) could be rather annoying?
-ll
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
