PHP_SELF requires no processing (i.e. there is no need to do basename())
strcmp is binary-safe, i prefer and recommend using string-safe comparison
functions for strings... here is an example of why:
$value = 0;
if($value=="not zero") {
echo "oopsie, how did this happen, lets see how this works with strcmp
(or === which i would advise)";
if(strcmp($value, "not zero") == 0) {
echo "You wont see this";
} else {
echo "Because strcmp works correctly";
}
}
you can also use the exact comparator ===, as it compares types, it would
work well as well. Infact if you dont need to determing anything about the
string, i would suggest using the === operator as it is significantly
faster:
timed: 0m0.724s
<?php
for($i=0; $i<=10000000; $i++){
if(1 === "submit") {
continue;
}
}
timed: 0m4.785s
<?php
for($i=0; $i<=10000000; $i++){
if(strcmp(1, "submit")==0) {
continue;
}
}
--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late. ~Seymour Cray
On Thu, May 19, 2011 at 2:44 PM, Andre Polykanine <andre@xxxxxxxx> wrote:
> Hello Alex,
>
> Two (stupid?) questions:
> 1. Why PHP_SELF is better than SCRIPT_NAME?
> 2. Why strcmp() is better than just comparing?
>
> --
> With best regards from Ukraine,
> Andre
> Skype: Francophile
> My blog: http://oire.org/menelion (mostly in Russian)
> Twitter: http://twitter.com/m_elensule
> Facebook: http://facebook.com/menelion
>
> ------------ Original message ------------
> From: Alex Nikitin <niksoft@xxxxxxxxx>
> To: PHP General
> Date created: , 9:29:35 PM
> Subject: A Review Request
>
>
>
> I will try to respond to the original question.
>
> Note: this is constructive criticism, so i wont do much in terms of
> praising
> the good parts
>
> It works, its very primitive, in some ways its pretty insecure, for example
> it provides no session hijacking protection, it's not written with the
> better of standards in mind, for one if you do store your password in code,
> you shouldn't store your password in clear text, that way if say i was able
> to bypass php execution and dumped that file out, i would still not have a
> useable password, so use a hash. There is no timing out or attempt
> management, for example i can write a 5 line-long brute script that will
> just pound your script with user ids and passwords, you should make it at
> least somewhat difficult for me to do that ;)
>
> Also don't declare a bunch of needless variables for their one-time use,
> don't compare unsanitized strings with a binary unsafe operator, server
> variables contain link to current script, here are examples of what i mean:
>
> -$self = basename($_SERVER['SCRIPT_NAME']);
> +$self = $_SERVER['PHP_SELF'];
>
>
> -$submit = isset($_POST['submit']) ? $_POST['submit'] : null;
> -if($submit == 'Submit')
>
> +if($_POST)
>
>
> -$pw = 'pw'; // define your password here
> -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null;
> -$password = isset($_POST['password']) ? $_POST['password'] : null;
> -if (($user_id == $id) AND ($password== $pw))
>
> +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the
> password: php -r "echo sha1(\"pw\");"
> +if (@strcmp($id, $_POST['user_id']) == 0 && strcmp($pw,
> sha1($_POST['password'])) == 0)
>
>
>
> -- Alex --
> --
> The trouble with programmers is that you can never tell what a programmer
> is
> doing until it’s too late. ~Seymour Cray
>
>
>
> On Wed, May 18, 2011 at 3:22 PM, tedd <tedd@xxxxxxxxxxxx> wrote:
>
> > Hi gang:
> >
> > I am considering providing PHP code to the general public via my website
> >
> > This is my first attempt:
> >
> > http://sperling.com/php/authorization/
> >
> > What do you people think?
> >
> > Cheers,
> >
> > tedd
> >
> > --
> > -------
> > http://sperling.com/
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
