two questions on serverside validation
in [General]
|
Prev: strtotime()
Next: Odd crash.
From: Marc Guay on 25 Aug 2010 11:06 > function html($text) > { > return htmlentities($text, ENT_QUOTES, 'UTF-8'); > } > > function htmlout($text) > { > return html($text); > } Possibly irrelevant, and definitely not related to your questions, but is it just me or is htmlout() a useless function? Why not just call html() directly?
From: "Jan G.B." on 25 Aug 2010 11:25 2010/8/25 Marc Guay <marc.guay(a)gmail.com>: >> function html($text) >> { >> return htmlentities($text, ENT_QUOTES, 'UTF-8'); >> } >> >> function htmlout($text) >> { >> return html($text); >> } > > Possibly irrelevant, and definitely not related to your questions, but > is it just me or is htmlout() a useless function? Why not just call > html() directly? Why not call htmlentities() directly? :-) Or: why notuse htmlspecialchars() to speed it up. Regards
From: David Mehler on 25 Aug 2010 13:05 Hello, Thanks to all who answered my quotes question. I've got another one. I've got several combo boxes that are sticky, below is an example of one and the function. Now i'd like to tighten it up by ensuring that an external user can't inject values other than value1 or value2 in to the script. This sounds like an array. <select name="box1" id="box1"> <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option> <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option> </select> function set_selected($fieldname, $value) { if ($_POST[$fieldname] == $value) echo 'selected="selected"'; } Thanks. Dave. On 8/25/10, Jan G.B. <ro0ot.w00t(a)googlemail.com> wrote: > 2010/8/25 Marc Guay <marc.guay(a)gmail.com>: >>> function html($text) >>> { >>> return htmlentities($text, ENT_QUOTES, 'UTF-8'); >>> } >>> >>> function htmlout($text) >>> { >>> return html($text); >>> } >> >> Possibly irrelevant, and definitely not related to your questions, but >> is it just me or is htmlout() a useless function? Why not just call >> html() directly? > > Why not call htmlentities() directly? > :-) > Or: why notuse htmlspecialchars() to speed it up. > > Regards >
From: Paul M Foster on 25 Aug 2010 15:09 On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote: > Hello, > Thanks to all who answered my quotes question. I've got another one. > I've got several combo boxes that are sticky, below is an example of > one and the function. Now i'd like to tighten it up by ensuring that > an external user can't inject values other than value1 or value2 in to > the script. This sounds like an array. > > <select name="box1" id="box1"> > <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option> > <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option> > </select> > > function set_selected($fieldname, $value) > { > if ($_POST[$fieldname] == $value) > echo 'selected="selected"'; > } > > Thanks. > Dave. What you've done is fine, but don't believe a user can't inject values here, regardless of what you've done. All they have to do is call the URL that's in the "action" attribute of your form tag, and give it any values they like. If you simply want to control a normal user's choices, the above will do it fine. If you want to prevent hacking, you'll have to sanitize the values once they're received from the form. Paul -- Paul M. Foster
From: tedd on 26 Aug 2010 09:22
At 3:59 PM +0100 8/25/10, Ashley Sheridan wrote: > >2.4 seconds doesn't seem so bad on 10 million iterations, but yes, it >does show that you should avoid it if it's really not necessary. Most >often I'll use that sort of syntax if I do something like this: > >$greeting = "Hello $name, not seen you since $date"; > >which might be slower than: > >$greeting = 'Hello ' . $name . ', not seen you since ' . $date; > >but it is a whole lot neater and still gets syntax highlighting applied >in a decent IDE or editor. > >Thanks, >Ash Agreed. Making things easy for both you and the programmer who follows is more important than cutting a few nanoseconds off compute time. After all, just displaying that information (i.e., echo) will take far more time and even vary more than that between monitors. Cheers, tedd -- ------- http://sperling.com/ |