Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [PHP] two questions on serverside validation

0 views
Skip to first unread message

tedd

unread,
Aug 26, 2010, 9:22:48 AM8/26/10
to a...@ashleysheridan.co.uk, Bostjan Skufca, David Mehler, php-general
At 3:59 PM +0100 8/25/10, Ashley Sheridan wrote:
>
>2.4 seconds doesn't seem so bad on 10 million iterations, but yes, it
>does show that you should avoid it if it's really not necessary. Most
>often I'll use that sort of syntax if I do something like this:
>
>$greeting = "Hello $name, not seen you since $date";
>
>which might be slower than:
>
>$greeting = 'Hello ' . $name . ', not seen you since ' . $date;
>
>but it is a whole lot neater and still gets syntax highlighting applied
>in a decent IDE or editor.
>
>Thanks,
>Ash


Agreed.

Making things easy for both you and the programmer who follows is
more important than cutting a few nanoseconds off compute time. After
all, just displaying that information (i.e., echo) will take far more
time and even vary more than that between monitors.

Cheers,

tedd

--
-------
http://sperling.com/

Jan G.B.

unread,
Aug 27, 2010, 11:53:02 AM8/27/10
to php-g...@lists.php.net
2010/8/27 Jan G.B. <ro0ot...@googlemail.com>:
> But make sure the other code which we don't see
> - does not outpot any _POST / _GET / _REQUEST / _COOKIE variables
> without encoding the contents (f.e. htmlspecialchars), or
> - does not send and user supplied data without scaping the sb-related
> special chars.. (f.e. mysql_real_escape-string).
>
Hell.. Actually I wanted to write "output", "escaping" and
"db-related". Are typo corrections accepted here?! :)

Jan G.B.

unread,
Aug 27, 2010, 11:50:21 AM8/27/10
to Paul M Foster, php-g...@lists.php.net
2010/8/25 Paul M Foster <pa...@quillandmouse.com>:
> On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote:
>
>> Hello,
>> Thanks to all who answered my quotes question. I've got another one.
>> I've got several combo boxes that are sticky, below is an example of
>> one and the function. Now i'd like to tighten it up by ensuring that
>> an external user can't inject values other than value1 or value2 in to
>> the script. This sounds like an array.
>>
>> <select name="box1" id="box1">
>> <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option>
>> <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option>
>> </select>
>>
>> function set_selected($fieldname, $value)
>> {
>>        if ($_POST[$fieldname] == $value)
>>                echo 'selected="selected"';
>> }
>>
>> Thanks.
>> Dave.
>
> What you've done is fine, but don't believe a user can't inject values
> here, regardless of what you've done. All they have to do is call the
> URL that's in the "action" attribute of your form tag, and give it any
> values they like.
>
> If you simply want to control a normal user's choices, the above will do
> it fine. If you want to prevent hacking, you'll have to sanitize the
> values once they're received from the form.
>
> Paul
>
>


Hi Paul, hi David,

I must correct Paul here.. a malicious user might be able to send a
value which is not "value1" or "value2", but this will not have any
impact for this snippet of code.
This snipped of code just set's a checkbox to being checked when the
value is the one expected. That's fine, so far. A classic whitelist.

But make sure the other code which we don't see
- does not outpot any _POST / _GET / _REQUEST / _COOKIE variables
without encoding the contents (f.e. htmlspecialchars), or
- does not send and user supplied data without scaping the sb-related
special chars.. (f.e. mysql_real_escape-string).

Regards,
Jan

0 new messages