Prev: strtotime()
Next: Odd crash.
From: Marc Guay on
> function html($text)
> {
>        return htmlentities($text, ENT_QUOTES, 'UTF-8');
> }
>
> function htmlout($text)
> {
>        return html($text);
> }

Possibly irrelevant, and definitely not related to your questions, but
is it just me or is htmlout() a useless function? Why not just call
html() directly?
From: "Jan G.B." on
2010/8/25 Marc Guay <marc.guay(a)gmail.com>:
>> function html($text)
>> {
>>        return htmlentities($text, ENT_QUOTES, 'UTF-8');
>> }
>>
>> function htmlout($text)
>> {
>>        return html($text);
>> }
>
> Possibly irrelevant, and definitely not related to your questions, but
> is it just me or is htmlout() a useless function?  Why not just call
> html() directly?

Why not call htmlentities() directly?
:-)
Or: why notuse htmlspecialchars() to speed it up.

Regards
From: David Mehler on
Hello,
Thanks to all who answered my quotes question. I've got another one.
I've got several combo boxes that are sticky, below is an example of
one and the function. Now i'd like to tighten it up by ensuring that
an external user can't inject values other than value1 or value2 in to
the script. This sounds like an array.

<select name="box1" id="box1">
<option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option>
<option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option>
</select>

function set_selected($fieldname, $value)
{
if ($_POST[$fieldname] == $value)
echo 'selected="selected"';
}

Thanks.
Dave.


On 8/25/10, Jan G.B. <ro0ot.w00t(a)googlemail.com> wrote:
> 2010/8/25 Marc Guay <marc.guay(a)gmail.com>:
>>> function html($text)
>>> {
>>>        return htmlentities($text, ENT_QUOTES, 'UTF-8');
>>> }
>>>
>>> function htmlout($text)
>>> {
>>>        return html($text);
>>> }
>>
>> Possibly irrelevant, and definitely not related to your questions, but
>> is it just me or is htmlout() a useless function?  Why not just call
>> html() directly?
>
> Why not call htmlentities() directly?
> :-)
> Or: why notuse htmlspecialchars() to speed it up.
>
> Regards
>
From: Paul M Foster on
On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote:

> Hello,
> Thanks to all who answered my quotes question. I've got another one.
> I've got several combo boxes that are sticky, below is an example of
> one and the function. Now i'd like to tighten it up by ensuring that
> an external user can't inject values other than value1 or value2 in to
> the script. This sounds like an array.
>
> <select name="box1" id="box1">
> <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option>
> <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option>
> </select>
>
> function set_selected($fieldname, $value)
> {
> if ($_POST[$fieldname] == $value)
> echo 'selected="selected"';
> }
>
> Thanks.
> Dave.

What you've done is fine, but don't believe a user can't inject values
here, regardless of what you've done. All they have to do is call the
URL that's in the "action" attribute of your form tag, and give it any
values they like.

If you simply want to control a normal user's choices, the above will do
it fine. If you want to prevent hacking, you'll have to sanitize the
values once they're received from the form.

Paul

--
Paul M. Foster
From: tedd on
At 3:59 PM +0100 8/25/10, Ashley Sheridan wrote:
>
>2.4 seconds doesn't seem so bad on 10 million iterations, but yes, it
>does show that you should avoid it if it's really not necessary. Most
>often I'll use that sort of syntax if I do something like this:
>
>$greeting = "Hello $name, not seen you since $date";
>
>which might be slower than:
>
>$greeting = 'Hello ' . $name . ', not seen you since ' . $date;
>
>but it is a whole lot neater and still gets syntax highlighting applied
>in a decent IDE or editor.
>
>Thanks,
>Ash


Agreed.

Making things easy for both you and the programmer who follows is
more important than cutting a few nanoseconds off compute time. After
all, just displaying that information (i.e., echo) will take far more
time and even vary more than that between monitors.

Cheers,

tedd

--
-------
http://sperling.com/
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: strtotime()
Next: Odd crash.