Prev: strtotime()
Next: Odd crash.
From: David Mehler on
Hello,
I've got two questions. I'm having to redo my form. Can you tell me
the difference if any between these two lines of code? This is for
output filtering.

<textarea name="description"> <?php echo htmlout("$description"); ?></textarea>
<textarea name="description"><?php echo htmlout($description); ?> </textarea>

One has the quotes around the parameter in the function call the other
does not. Here's the functions:

function html($text)
{
return htmlentities($text, ENT_QUOTES, 'UTF-8');
}

function htmlout($text)
{
return html($text);
}

My second question is I'm wanting to do input filtering to prevent
anything malicious from coming in to my form. The eventual goal is to
get this information in to a database. Here's an insecure name field
i'm wanting to secure it against html tags, strange text, no symbols
except perhaps period, dash, letters, numbers alpha numeric stuff.

$name = $_POST['name'];

<div>
<label for="name">Name*:</label>
<input type="text" name="name" id="name" size="50" value="<?php echo
htmlout($name); ?>" /> <br />
</div>

In my previous form i used a variable declaration like:

$name = trim($_POST['name']);
but I can probably do better, as I said this is eventually going in to
a database.
Thanks.
Dave.
From: Ashley Sheridan on
On Wed, 2010-08-25 at 10:24 -0400, David Mehler wrote:

> Hello,
> I've got two questions. I'm having to redo my form. Can you tell me
> the difference if any between these two lines of code? This is for
> output filtering.
>
> <textarea name="description"> <?php echo htmlout("$description"); ?></textarea>
> <textarea name="description"><?php echo htmlout($description); ?> </textarea>
>
> One has the quotes around the parameter in the function call the other
> does not. Here's the functions:
>
> function html($text)
> {
> return htmlentities($text, ENT_QUOTES, 'UTF-8');
> }
>
> function htmlout($text)
> {
> return html($text);
> }
>
> My second question is I'm wanting to do input filtering to prevent
> anything malicious from coming in to my form. The eventual goal is to
> get this information in to a database. Here's an insecure name field
> i'm wanting to secure it against html tags, strange text, no symbols
> except perhaps period, dash, letters, numbers alpha numeric stuff.
>
> $name = $_POST['name'];
>
> <div>
> <label for="name">Name*:</label>
> <input type="text" name="name" id="name" size="50" value="<?php echo
> htmlout($name); ?>" /> <br />
> </div>
>
> In my previous form i used a variable declaration like:
>
> $name = trim($_POST['name']);
> but I can probably do better, as I said this is eventually going in to
> a database.
> Thanks.
> Dave.
>


The two lines of code are essentially identical, the quotes just put the
variable value inside of a string, but if that variable is a string
anyway, there won't be a difference, although with quotes will be
slightly slower (we're talking milliseconds here)

As for validation, there are several parts to this. Before any value
goes into the DB you should run something like
mysql_real_escape_string() on it (or an alternative equivalent for other
DB's) as this will prevent SQL injection.

One thing I tend to do is to further validate data to expected values
with regular expressions. For example, a phone number could be validated
against:

/^\+?[\d\- ]+$/

which means match the whole string for numbers, spaces and hyphens, and
allow an optional + symbol at the start

There are some things which are hard to regex (like valid email
addresses and domain names) but most form fields tend to expect certain
types of data which you can write simple expressions for.

Thanks,
Ash
http://www.ashleysheridan.co.uk


From: "Bob McConnell" on
From: David Mehler

> I've got two questions. I'm having to redo my form. Can you tell me
> the difference if any between these two lines of code? This is for
> output filtering.
>
> <textarea name="description"> <?php echo htmlout("$description");
?></textarea>
> <textarea name="description"><?php echo htmlout($description); ?>
</textarea>
>
> One has the quotes around the parameter in the function call the other
> does not. Here's the functions:
>
> function html($text)
> {
> return htmlentities($text, ENT_QUOTES, 'UTF-8');
> }
>
> function htmlout($text)
> {
> return html($text);
> }

The version with quotes will go through a superfluous step of parsing
the string and then doing the substitution. The other will simply do the
substitution.

> My second question is I'm wanting to do input filtering to prevent
> anything malicious from coming in to my form. The eventual goal is to
> get this information in to a database. Here's an insecure name field
> i'm wanting to secure it against html tags, strange text, no symbols
> except perhaps period, dash, letters, numbers alpha numeric stuff.
>
> $name = $_POST['name'];
>
> <div>
> <label for="name">Name*:</label>
> <input type="text" name="name" id="name" size="50" value="<?php echo
> htmlout($name); ?>" /> <br />
> </div>
>
> In my previous form i used a variable declaration like:
>
> $name = trim($_POST['name']);
> but I can probably do better, as I said this is eventually going in to
> a database.

There are actually two stages to this, sanitization and validation. The
first strips out dangerous characters, tags, etc. The second is to
verify that the content is actually within the acceptable range of
answers for your system. i.e. if you are using English names, there are
no Cyrillic characters in there. In some cases there is also a third
step, which varies depending on where you are using the string. For a
database, there are usually escape functions with the DB library to
prepare it for storage. I frequently use pg_escape_string(). There are
other options for strings being set to the browser, either as html
content or URLs.

You probably should become familiar with the OWASP[1] recommendations as
early as possible. They have a variety of tried and tested functions for
this very purpose. You can use them as is, as models or as frameworks
for your own variations on the theme.

Bob McConnell

[1] <http://www.owasp.org/index.php/Main_Page>
From: Bostjan Skufca on
Speed difference is substantial:

### Test 1:
$message1 = "asdf werqwe";
for ($i=0; $i<10000000; $i++) {
$message2 = $message1;
}
### Takes 1,1 seconds (on machine tested)

### Test2:
$message1 = "asdf werqwe";
for ($i=0; $i<10000000; $i++) {
$message2 = "$message1";
}
### Takes 2,4 seconds (on sam machine)

Quotes are not recommended in this case.

b.



On 25 August 2010 16:40, Ashley Sheridan <ash(a)ashleysheridan.co.uk> wrote:

> On Wed, 2010-08-25 at 10:24 -0400, David Mehler wrote:
>
> > Hello,
> > I've got two questions. I'm having to redo my form. Can you tell me
> > the difference if any between these two lines of code? This is for
> > output filtering.
> >
> > <textarea name="description"> <?php echo htmlout("$description");
> ?></textarea>
> > <textarea name="description"><?php echo htmlout($description); ?>
> </textarea>
> >
> > One has the quotes around the parameter in the function call the other
> > does not. Here's the functions:
> >
> > function html($text)
> > {
> > return htmlentities($text, ENT_QUOTES, 'UTF-8');
> > }
> >
> > function htmlout($text)
> > {
> > return html($text);
> > }
> >
> > My second question is I'm wanting to do input filtering to prevent
> > anything malicious from coming in to my form. The eventual goal is to
> > get this information in to a database. Here's an insecure name field
> > i'm wanting to secure it against html tags, strange text, no symbols
> > except perhaps period, dash, letters, numbers alpha numeric stuff.
> >
> > $name = $_POST['name'];
> >
> > <div>
> > <label for="name">Name*:</label>
> > <input type="text" name="name" id="name" size="50" value="<?php echo
> > htmlout($name); ?>" /> <br />
> > </div>
> >
> > In my previous form i used a variable declaration like:
> >
> > $name = trim($_POST['name']);
> > but I can probably do better, as I said this is eventually going in to
> > a database.
> > Thanks.
> > Dave.
> >
>
>
> The two lines of code are essentially identical, the quotes just put the
> variable value inside of a string, but if that variable is a string
> anyway, there won't be a difference, although with quotes will be
> slightly slower (we're talking milliseconds here)
>
> As for validation, there are several parts to this. Before any value
> goes into the DB you should run something like
> mysql_real_escape_string() on it (or an alternative equivalent for other
> DB's) as this will prevent SQL injection.
>
> One thing I tend to do is to further validate data to expected values
> with regular expressions. For example, a phone number could be validated
> against:
>
> /^\+?[\d\- ]+$/
>
> which means match the whole string for numbers, spaces and hyphens, and
> allow an optional + symbol at the start
>
> There are some things which are hard to regex (like valid email
> addresses and domain names) but most form fields tend to expect certain
> types of data which you can write simple expressions for.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
From: Ashley Sheridan on
On Wed, 2010-08-25 at 16:48 +0200, Bostjan Skufca wrote:

> Speed difference is substantial:
>
> ### Test 1:
> $message1 = "asdf werqwe";
> for ($i=0; $i<10000000; $i++) {
> $message2 = $message1;
> }
> ### Takes 1,1 seconds (on machine tested)
>
> ### Test2:
> $message1 = "asdf werqwe";
> for ($i=0; $i<10000000; $i++) {
> $message2 = "$message1";
> }
> ### Takes 2,4 seconds (on sam machine)
>
> Quotes are not recommended in this case.
>
> b.
>
>
>
>
> On 25 August 2010 16:40, Ashley Sheridan <ash(a)ashleysheridan.co.uk>
> wrote:
>
>
> On Wed, 2010-08-25 at 10:24 -0400, David Mehler wrote:
>
> > Hello,
> > I've got two questions. I'm having to redo my form. Can you
> tell me
> > the difference if any between these two lines of code? This
> is for
> > output filtering.
> >
> > <textarea name="description"> <?php echo
> htmlout("$description"); ?></textarea>
> > <textarea name="description"><?php echo
> htmlout($description); ?> </textarea>
> >
> > One has the quotes around the parameter in the function call
> the other
> > does not. Here's the functions:
> >
> > function html($text)
> > {
> > return htmlentities($text, ENT_QUOTES, 'UTF-8');
> > }
> >
> > function htmlout($text)
> > {
> > return html($text);
> > }
> >
> > My second question is I'm wanting to do input filtering to
> prevent
> > anything malicious from coming in to my form. The eventual
> goal is to
> > get this information in to a database. Here's an insecure
> name field
> > i'm wanting to secure it against html tags, strange text, no
> symbols
> > except perhaps period, dash, letters, numbers alpha numeric
> stuff.
> >
> > $name = $_POST['name'];
> >
> > <div>
> > <label for="name">Name*:</label>
> > <input type="text" name="name" id="name" size="50"
> value="<?php echo
> > htmlout($name); ?>" /> <br />
> > </div>
> >
> > In my previous form i used a variable declaration like:
> >
> > $name = trim($_POST['name']);
> > but I can probably do better, as I said this is eventually
> going in to
> > a database.
> > Thanks.
> > Dave.
> >
>
>
>
>
> The two lines of code are essentially identical, the quotes
> just put the
> variable value inside of a string, but if that variable is a
> string
> anyway, there won't be a difference, although with quotes will
> be
> slightly slower (we're talking milliseconds here)
>
> As for validation, there are several parts to this. Before any
> value
> goes into the DB you should run something like
> mysql_real_escape_string() on it (or an alternative equivalent
> for other
> DB's) as this will prevent SQL injection.
>
> One thing I tend to do is to further validate data to expected
> values
> with regular expressions. For example, a phone number could be
> validated
> against:
>
> /^\+?[\d\- ]+$/
>
> which means match the whole string for numbers, spaces and
> hyphens, and
> allow an optional + symbol at the start
>
> There are some things which are hard to regex (like valid
> email
> addresses and domain names) but most form fields tend to
> expect certain
> types of data which you can write simple expressions for.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>


2.4 seconds doesn't seem so bad on 10 million iterations, but yes, it
does show that you should avoid it if it's really not necessary. Most
often I'll use that sort of syntax if I do something like this:

$greeting = "Hello $name, not seen you since $date";

which might be slower than:

$greeting = 'Hello ' . $name . ', not seen you since ' . $date;

but it is a whole lot neater and still gets syntax highlighting applied
in a decent IDE or editor.

Thanks,
Ash
http://www.ashleysheridan.co.uk


 |  Next  |  Last
Pages: 1 2 3
Prev: strtotime()
Next: Odd crash.