Re: isset question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2009-06-20 at 00:19 -0400, Paul M Foster wrote:
> On Fri, Jun 19, 2009 at 07:52:40PM +0100, Ashley Sheridan wrote:
> 
> > On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote:
> > > On 18 June 2009 20:25, LAMP advised:
> > >
> > > > using !empty() instead isset() will work if you don't care for PHP
> > > > Notice: Undefined variable... If you want to avoid PHP Notice
> > > > you have
> > > > to use both:
> > > >
> > > > $msg.=  (isset($_POST['mort']) and !empty($_POST['mort'])) ? "The
> > > > mortgage amount is  $mort\n" : " ";
> > >
> > > Absolute rubbish -- as it says at http://php.net/empty, "empty($var) is
> > > the opposite of (boolean)$var, except that no warning is generated when
> > > the variable is not set." -- so "protecting" empty() with an isset() is
> > > a total waste of time, space and cpu cycles.
> 
> <snip>
> 
> > >
> > To be honest, you're still opening yourself up to attack that way. 
> 
> Why and how?
> 
> Paul
> 
> -- 
> Paul M. Foster
> 
I've only done a little reading on this, but you're opening yourself up
to a XSS attack. If someone posted '<script>//malicious code
here</script>' to your PHP script, you'd essentially be printing that
right back out onto your page.

Thanks
Ash
www.ashleysheridan.co.uk


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux