At 11:00 AM -0400 10/23/08, Chris Shiflett wrote:
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading "Essential PHP Security" by Chris Shiflett.
on the very beginning, page 5 & 6, if I got it correct, he said
this is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}
what's the difference? I really can't see?
I believe I was trying to emphasize how simple, obvious code can be
a boon to security.
That's the way I read what you wrote and your example was fine with me.
The problem here is that the OP simply misunderstood what you were
trying to convey. Because of a language problem, he did not realize
that you were simply showing how a tainted variable could "stand-out"
in one set of code while being obscured in another. Instead, he
thought you were saying that one method was secure and the other
wasn't and wanted to have someone explain the difference.
I did my best to convey what I thought you were saying, but all
clarifications lead to more confusion.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php