Re: what's the difference in the following code?

From: Alex Weber <alexweber15@xxxxxxxxx>
Date: Fri, 17 Oct 2008 11:48:26 -0700 (PDT)

On Oct 17, 3:30 pm, eric.but...@xxxxxxxxx ("Eric Butera") wrote:

On Fri, Oct 17, 2008 at 1:58 PM, Lamp Lists <lamp.li...@xxxxxxxxx> wrote:

I'm reading "Essential PHP Security" by Chris Shiflett.

on the very beginning, page 5 & 6, if I got it correct, he said this is not good:

$search = isset($_GET['search']) ? $_GET['search'] : '';

and this is good:

$search = '';
if (isset($_GET['search']))
{
$search = $_GET['search'];
}

what's the difference? I really can't see?
to me is more the way you like to write your code (and I like the top one :-) )?

thanks.

-ll

In this exact context there's no real difference. But in the real
world when you need to validate that a input value is a number and has
a minimum of X, a maximum of X, then your ternary shortcut will not
cut it.

I still wouldn't write mine either of those ways. Look into
ext/filter [1] or Zend validators [2]. I'm of the school where you
shouldn't sanitize a value, but rather validate it and escape it
appropriately based on usage context. This takes a lot of discipline
& can be dangerous if you forget even one spot.

[1]http://us3.php.net/manual/en/function.filter-input.php
[2]http://framework.zend.com/manual/en/zend.validate.html

from the original post's context this has nothing to do with
validating or input-checking...

both statements have EXACTLY the same functionality and behavior (and
either one would require validation for security for that matter)

so really I have no idea why the author claims ternary statements are
less-safe than normal if-statements.

Alex
.

References:
- what's the difference in the following code?
  - From: Lamp Lists
- Re: [PHP] what's the difference in the following code?
  - From: "Eric Butera"

Prev by Date: case-insensitive Class Constants possible?
Next by Date: Securing AJAX requests with PHP?
Previous by thread: Re: [PHP] what's the difference in the following code?
Next by thread: Re: what's the difference in the following code?
Index(es):
- Date
- Thread

Relevant Pages

Re: Switching from System context to User Context
... We have a service which runs in system context(it starts before the user ... and this service needs to read and validate some files. ... login, for example) but it doesn't give you access to network resources, and ...
(microsoft.public.win2000.developer)
Re: [PHP] whats the difference in the following code?
... In this exact context there's no real difference. ... world when you need to validate that a input value is a number and has ... & can be dangerous if you forget even one spot. ...
(php.general)
Switching from System context to User Context
... We have a service which runs in system context(it starts before the user is ... and this service needs to read and validate some files. ...
(microsoft.public.win2000.file_system)
Switching from System context to User Context
... We have a service which runs in system context(it starts before the user is ... and this service needs to read and validate some files. ...
(microsoft.public.windowsxp.general)
Switching from System context to User Context
... We have a service which runs in system context(it starts before the user is ... and this service needs to read and validate some files. ...
(microsoft.public.win2000.security)