questions about comparisions in the PHP code base (Technics)

by danielb987, Monday, February 05, 2018, 18:02 (107 days ago) @ Auge

Hello

Please bear in mind, that the use of $_REQUEST is not the normal behaviour even it ispresent on several places. On most places the checks performs explicitely against $_GET or $_POST (or what else) to ensure the source of the variables. IMHO this has a better readability than $_REQUEST but also a better readability than a function (without a parameter to specify way of the incoming data) because in the code I can see the designated source of the data.

$foo = (!empty($_GET['bar'])) ? trim($_GET['bar']) : NULL; // ahhh, an URL-parameter

Tschö, Auge

Yes, I agree with that $_GET is preferred over $_REQUEST. But my point is that you may end up with code like the one below:

$page = (!empty($_GET['page'])) ? trim($_GET['page']) : 0; // ahhh, an URL-parameter

And that the code later assume that $page is an integer and therefore is not quoted correctly in a SQL query. Which may open up the forum for SQL injection.

Example:

$query = 'SELECT .... FROM ... WHERE page='.$page.' AND ... ';

By using a function, you will force that the parameter $page is an integer and thereby protect from SQL injection.

Kind regards,
Daniel


Complete thread:

 RSS Feed of thread

powered by my little forum