At 2:29 PM -0400 5/19/11, Alex Nikitin wrote:
Also don't declare a bunch of needless variables for their one-time use,
don't compare unsanitized strings with a binary unsafe operator, server
variables contain link to current script, here are examples of what i mean:
I object.
First of all 'needless' is in the eye of the beholder. I've seen
ton's of 'needless' comments about how programmers waste precious
space by declaring needless variables because they can do things more
cryptic. I've also heard in the past how programmers should be
cryptic and even shorten their variable names, not use indenting, and
do all sorts of other nonsense to save space and make their code run
quicker.
However, they forget a couple of important considerations.
1. Code running tomorrow will run-faster and cost-less to store than
today. That's a fact and while we can argue, the argument becomes
less important as time passes. If I don't win this argument today, I
will win it tomorrow.
2. I also claim that if I can make my code more readable and easier
to maintain by adding a 'needless" variable now and then, then it's
well worth the cost. And as I said before, that cost is reducing
every day, while maintaining readable code is becoming more
important. So again, I'll eventually win this argument.
So, whenever you feel in the mood, create another 'needless variable'
because they need love too!
-$self = basename($_SERVER['SCRIPT_NAME']);
+$self = $_SERVER['PHP_SELF'];
They return different things. I want the name of the script.
----------
-$submit = isset($_POST['submit']) ? $_POST['submit'] : null;
-if($submit == 'Submit')
+if($_POST)
if($_POST) what?
I'm cleaning the the POST variable. If the user has not clicked
"Submit", then I don't want to evaluate the POST. Sure, there are
ways to forge and pass a POST variable, but this is one step in
cleaning a superglobal.
---------
-$pw = 'pw'; // define your password here
-$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null;
-$password = isset($_POST['password']) ? $_POST['password'] : null;
-if (($user_id == $id) AND ($password== $pw))
+$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the
password: php -r "echo sha1(\"pw\");"
+if (@strcmp($id, $_POST['user_id']) == 0 && strcmp($pw,
sha1($_POST['password'])) == 0)
Sure.
Here's the problem -- where's the novice going to get the hash for
the password?
I don't want to force the novice into another step in this demo.
Besides, the only way that an evil doer can see the code in text is
*if* there is a problem with the server -- isn't that right? If
that's the case, then there's more problems here than what the user
could have planned for.
However, if there is another way, please explain.
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php