Speed difference is substantial:
### Test 1:
$message1 = "asdf werqwe";
for ($i=0; $i<10000000; $i++) {
$message2 = $message1;
}
### Takes 1,1 seconds (on machine tested)
### Test2:
$message1 = "asdf werqwe";
for ($i=0; $i<10000000; $i++) {
$message2 = "$message1";
}
### Takes 2,4 seconds (on sam machine)
Quotes are not recommended in this case.
b.
On 25 August 2010 16:40, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, 2010-08-25 at 10:24 -0400, David Mehler wrote:
>
> > Hello,
> > I've got two questions. I'm having to redo my form. Can you tell me
> > the difference if any between these two lines of code? This is for
> > output filtering.
> >
> > <textarea name="description"> <?php echo htmlout("$description");
> ?></textarea>
> > <textarea name="description"><?php echo htmlout($description); ?>
> </textarea>
> >
> > One has the quotes around the parameter in the function call the other
> > does not. Here's the functions:
> >
> > function html($text)
> > {
> > return htmlentities($text, ENT_QUOTES, 'UTF-8');
> > }
> >
> > function htmlout($text)
> > {
> > return html($text);
> > }
> >
> > My second question is I'm wanting to do input filtering to prevent
> > anything malicious from coming in to my form. The eventual goal is to
> > get this information in to a database. Here's an insecure name field
> > i'm wanting to secure it against html tags, strange text, no symbols
> > except perhaps period, dash, letters, numbers alpha numeric stuff.
> >
> > $name = $_POST['name'];
> >
> > <div>
> > <label for="name">Name*:</label>
> > <input type="text" name="name" id="name" size="50" value="<?php echo
> > htmlout($name); ?>" /> <br />
> > </div>
> >
> > In my previous form i used a variable declaration like:
> >
> > $name = trim($_POST['name']);
> > but I can probably do better, as I said this is eventually going in to
> > a database.
> > Thanks.
> > Dave.
> >
>
>
> The two lines of code are essentially identical, the quotes just put the
> variable value inside of a string, but if that variable is a string
> anyway, there won't be a difference, although with quotes will be
> slightly slower (we're talking milliseconds here)
>
> As for validation, there are several parts to this. Before any value
> goes into the DB you should run something like
> mysql_real_escape_string() on it (or an alternative equivalent for other
> DB's) as this will prevent SQL injection.
>
> One thing I tend to do is to further validate data to expected values
> with regular expressions. For example, a phone number could be validated
> against:
>
> /^\+?[\d\- ]+$/
>
> which means match the whole string for numbers, spaces and hyphens, and
> allow an optional + symbol at the start
>
> There are some things which are hard to regex (like valid email
> addresses and domain names) but most form fields tend to expect certain
> types of data which you can write simple expressions for.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
