SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 60

Hybrid View

  1. #1
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    code layout and variable questions

    Hello.

    I have a quick question regarding php code layout and also variables.

    Does it make any difference whatsoever if I choose to lay out my code in sections like this? Note that this is just some example random code.

    PHP Code:
    <?php
    session_start
    ();
    if (isset(
    $_SESSION['username'])) {
    $username htmlspecialchars($_SESSION['username']);
    }
    ?>
    <?php
    require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/connection.php';
    some code here etc
    ?>
    <?php
    echo '$username';
    ?>
    Do the php tags after the first set make no difference at all, and are purely an aesthetic choice to clump together certain parts of the code if I chose to do so?

    Would the connection.php still be 'set' in the later php tag sets or would I have to call it for each? Somehow, I doubt that.

    Also, regarding variables. If I use, like in the above example, htmlspecialchars on the $username variable.. whenever I use the $username variable later in my code, I can just use it as $username, and not have to 're-do' htmlspecialchars, correct? Once it is set, it is set until I change it in that particular page. Even if it were done like this:

    PHP Code:
    <?php
    session_start
    ();
    if (isset(
    $_SESSION['username'])) {
    $username htmlspecialchars($_SESSION['username']);
    }
    ?>
    <?php
    include hiuser.php
    ?>
    <?php 
    // this is hiuser.php
    echo '$username';
    ?>
    Thank you for your input, php masters of sitepoint.

  2. #2
    SitePoint Zealot Cute Tink's Avatar
    Join Date
    Apr 2009
    Posts
    152
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My amateur opinion on your questions:

    1. Do the php tags after the first set make no difference at all, and are purely an aesthetic choice to clump together certain parts of the code if I chose to do so?

    You can do that, but there might be some efficiency issues from doing that. I never open and close like that. If you want to separate your code sections, perhaps includes would be a better choice, but that might have efficiency issues as well. Typically I separate sections with white space, i.e.:

    PHP Code:
    <?php

    session_start
    ();

    if (isset(
    $_SESSION['username'])) {

       
    $username htmlspecialchars($_SESSION['username']);

    }

    require_once 
    $_SERVER['DOCUMENT_ROOT'] . '/includes/connection.php';

    some code here etc

    echo $username;

    ?>
    Also note, as a general readability practice, when you have a block of code inside something like an if or while statement, you should indent a few characters to help identify what part of the code is inside that if or while statement.

    2. Would the connection.php still be 'set' in the later php tag sets or would I have to call it for each? Somehow, I doubt that.

    It would still be set. Closing the php tags doesn't destroy any variables or connections.

    3. If I use, like in the above example, htmlspecialchars on the $username variable.. whenever I use the $username variable later in my code, I can just use it as $username, and not have to 're-do' htmlspecialchars, correct?

    That much is true. However, you should know that php doesn't parse variables within single quotes. If you want, for some reason, to enclose your variables within quotes, use double quotes. If you prefer single quotes to enclose output, then you need to break them for variables, i.e.:

    Works:
    echo 'Hello there ' . $username;
    echo "Hello there $username";

    Doesn't work:

    echo 'Hello there $username';

  3. #3
    SitePoint Zealot Cute Tink's Avatar
    Join Date
    Apr 2009
    Posts
    152
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For some reason, I cannot edit. I seem to be wrong about efficiency. It doesn't seem to impact the speed of the script to open and close php. However, it may make it harder to read or find a missing closing brace.

  4. #4
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    The usual reason to use multiple blocks is to permit the use of html between them. Trivial example:
    PHP Code:
    <?php 
    session_start
    (); 
    if (isset(
    $_SESSION['username'])) { 
    $username htmlspecialchars($_SESSION['username']); 

    ?> 
    <html>
    <head>
    <?php 
    require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/connection.php'
    some code here etc 
    ?>
     
    </head>
    <body>
    <?php 
    echo '$username'
    ?>
    </body>
    Your question about escaping a variable is a harder one to explain though.

    htmspecialchars() is a means of 'escaping' (protecting) a variable destined for display in and amongst html on a webpage.

    mysql_real_escape_string() or using PDO/Mysqli prepared statements is a means of escaping a variable destined for storage in a mysql database.

    If you take the following programme flow:

    a) get a variable from a user
    b) display it to a the user in a webpage
    c) store it in a database

    If you escape it at a) and then re-escape it AGAIN at c) you will end up with data in your database which will not match your expectations and can be the cause of very subtle bugs.

    Moving away from the trivial example, lets say you are looking at a variable on a 200 line script which you have not worked on for a few months now.
    PHP Code:
    $username 
    Now ask yourself, has that already been escaped?

    If you insist upon pre-escaping variables maybe in an effort to save time, then at least name them:
    PHP Code:
    $escaped_username 
    Eugh!

    So my answer is no, don't do that as a knee-jerk reaction, it will cause you problems later down the road. Generally escape data as you display it so that your code is implicit.

    If you are reading from a database, and you know that all the variables are to be output onto a page, then yes, consider doing it.

  5. #5
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Ok thank you Cute-Tink and Cups. That really clears things up for me.

    Cups, I will not pre-escape variables like that from now on. What you said makes far more sense to me, but I have one question regarding your theoretical situation of:

    Quote Originally Posted by Cups View Post
    a) get a variable from a user
    b) display it to a the user in a webpage
    c) store it in a database

    If you escape it at a) and then re-escape it AGAIN at c) you will end up with data in your database which will not match your expectations and can be the cause of very subtle bugs.
    I think I understand this, but let me come up with a slightly more detailed example to make sure that I do understand, and/or get some further tips.

    Let's say I have a form that will insert some data into the database. I have dumbed my example code down to shorten my example.

    PHP Code:
    <?php
    session_start
    (); 
    if (isset(
    $_SESSION['username'])) {
         
    $username $_SESSION['username']; // A
    }
    if (isset(
    $_POST['form_submit'])) {
         
    $username mysqli_real_escape_string($link$username); // C
         
    "INSERT INTO database WHERE username = '$username'";
    }
    ?>
    <HTML begins>
    <?php
         
    echo "Welcome htmlspecialchars($username)"// B
    ?>
    <html form goes here with 'form_submit' button>
    </HTML ends>
    Sorry about the purposely dumb code, but the point of it is so that I can understand your ABC example. Would my example cause problems:

    I am not escaping at 'A', but am escaping with htmlspecialchars at 'B' when I display the username in a welcome message, and then escaping at 'C' with mysqli_real_escape_string if/when the user submits the form.

  6. #6
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    You nearly got it right mate.
    PHP Code:
    if (isset($_POST['form_submit'])) {
    // if you are using mysqli - but then again you should
    // ideally be using prepared statements which do the escaping
    // for you automatically
          
    "INSERT INTO database (username) values ( '" mysqli_real_escape_string($username) ."');  //C

    Also, bear in mind this scenario:
    PHP Code:
    <?php

    // you fetch something from your mysql table
    // but you are not sure where it came from, all 
    // you know (trust) is that you did escape it ready
    // for storing as mysql data

    // "select username from mydatabase WHERE id= 1";
    // mysql_fetch_array etc

    }
    ?>
    <HTML begins>
    <?php
         
    echo "Welcome htmlspecialchars("$row[0]['username'] .")"// B
    ?>
    </HTML ends>
    Filter Input Escape Output is the rule (FIEO).

    You may have protected mysql from sql injection attacks when you saved the data, but now you need to protect users of your html from XSS attacks as you display it. (protect = escape).

    I wish I'd been bright enough to ask questions such as this when starting out.

  7. #7
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    So:
    PHP Code:
    <?php
    session_start
    (); 
    if (isset(
    $_SESSION['username'])) {
         
    $username $_SESSION['username'];
    }
    if (isset(
    $_POST['form_submit'])) {
         
    "INSERT INTO database (one, two, three) values ('one', 'two', 'three') WHERE username = ( '" mysqli_real_escape_string($username) ."');
    }
    ?>
    <HTML begins>
    <?php
         echo "
    Welcome htmlspecialchars($username)";
    ?>
    <html form goes here with 'form_submit' button>
    </HTML ends>
    Would be right for the first example?

    But if I was also inserting other data generated by the form only (had not been previously set or escaped), it would be ok to do this?

    PHP Code:
    $variable1 mysqli_real_escape_string($link$variable);
    $variable2 mysqli_real_escape_string($link$variable);
    $variable3 mysqli_real_escape_string($link$variable);
    "INSERT INTO database (one, two, three) values ('$variable1', '$variable2', '$variable3') WHERE username = ( '" mysqli_real_escape_string($username) ."'); 
    Finally, let me ask a really "Hi, I'm a newbie" question too. What is the difference between doing (assuming $username had been htmlspecialchar'd for output like in my first example). Just so I understand the changes I am making.

    PHP Code:
    $username mysqli_real_escape_string($link$username);
    "INSERT INTO database (one, two, three) values ('one', 'two', 'three') WHERE username = '$username'"); 
    and

    PHP Code:
    "INSERT INTO database (one, two, three) values ('one', 'two', 'three') WHERE username = ( '" mysqli_real_escape_string($username) ."'); 
    I hope that post wasn't too much of a mess.

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by oknow View Post
    Would be right for the first example?
    Exactly right.

    Sorry, my mistake, I am getting confused with mysql_real_escape_string() - I must admit I am not familiar with mysqli, having moved directly to using PDO when PHP5.1 came out. Maybe someone else can help you with that. I hope I have not lead you astray on that ...

  9. #9
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Not a problem Cups, you have been a truly excellent help.

    Which part do I still need to confirm, though? So that I know where I'm up to.

  10. #10
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Judging by what I read in the manual about mysqli function (which I am not conversant with)

    This code:
    PHP Code:
    $username mysqli_real_escape_string($link$username);
    "INSERT INTO database (one, two, three) values ('one', 'two', 'three') WHERE username = '$username'"); 
    Is correct,

    whereas this code:
    PHP Code:
    "INSERT INTO database (one, two, three) 
    values ('one', 'two', 'three') 
    WHERE username = ( '" 
    mysqli_real_escape_string($username) ."'); 
    Is incorrect (or if the i was taken off, it would be true for plain mysql_* use).

    Sorry if I have confused you on this score.

  11. #11
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks for taking the time to help me out, and to clarify, Cups. I appreciate it.

    So basically I'm doing everything right? And it does not matter to switch between different escape methods on the same variable throughout my script, as long as I always use the right one for the right job, like in this example:

    PHP Code:
    <?php
    session_start
    (); 
    if (isset(
    $_SESSION['username'])) {
         
    $username $_SESSION['username'];
    }
    if (isset(
    $_POST['form_submit'])) {
         
    $username mysqli_real_escape_string($link$username); // mysqli_real_escape_string for input into database
         
    "INSERT INTO database WHERE username = '$username'";
    }
    ?>
    <HTML begins>
    <?php
         
    echo "Welcome htmlspecialchars($username)"// htmlspecialchars for output to the page
    ?>
    <html form goes here with 'form_submit' button>
    </HTML ends>

  12. #12
    SitePoint Zealot Zurev's Avatar
    Join Date
    Feb 2009
    Posts
    171
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Am I the only one who noticed this bit:
    PHP Code:
    <?php 
         
    echo "Welcome htmlspecialchars($username)"// htmlspecialchars for output to the page 
    ?>
    It won't call htmlspecialchars, it'd need to be:
    PHP Code:
    echo "Welcome ".htmlspecialchars($username);
    // Or if you wanted to continue the string..
    echo "Welcome ".htmlspecialchars($username).", how are you today?"

  13. #13
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Oops, thank you Zurev!

    I've actually been doing it like this:
    PHP Code:
    <?php
         
    echo 'Welcome';
         echo 
    htmlspecialchars($username);
         echo 
    '.';
    ?>
    So I would need to change line 2 to this?
    PHP Code:
    echo .htmlspecialchars($username).; 

  14. #14
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by oknow View Post
    Oops, thank you Zurev!

    I've actually been doing it like this:
    PHP Code:
    <?php
         
    echo 'Welcome';
         echo 
    htmlspecialchars($username);
         echo 
    '.';
    ?>
    So I would need to change line 2 to this?
    PHP Code:
    echo .htmlspecialchars($username).; 
    That last code example won't work, because PHP will think that you've missed out something for the full steps to concatenate with.

    You can use either the first example from above, or combine it in to one statement with:

    PHP Code:
    echo 'Welcome' htmlspecialchars($username) . '.'
    Or if you prefer, you can have the one statement spread across multiple lines:

    PHP Code:
    echo 'Welcome'
        
    htmlspecialchars($username)
        . 
    '.'

    PHP Code:
    echo 'Welcome' .
        
    htmlspecialchars($username) .
        
    '.'
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  15. #15
    SitePoint Zealot Zurev's Avatar
    Join Date
    Feb 2009
    Posts
    171
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, line 2 is fine that way.

  16. #16
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    With procedural mysqli, I prefer to not have the variable embedded within the string, which PHP then has to decode:

    Code php:
    $username = mysqli_real_escape_string($link, $username);
    $result = mysqli_query("INSERT INTO database WHERE username = '$username'");

    Instead, I prefer to concatenate the variable to the string, so that it's visually easier to see what's going on:


    Code php:
    $username = mysqli_real_escape_string($link, $username);
    $result = mysqli_query('INSERT INTO database WHERE username = "' . $username . '"');

    I might even go so far as to use sprintf:

    Code php:
    $sql = sprintf(
        'INSERT INTO database WHERE username = "%s"',
        mysqli_real_escape_string($link, $username)
    );
    $result = mysqli_query($sql);

    However, if you're going to go that far, you might as well use prepared statements instead.
    All escaping issues are then automatically handled when you bind a parameter to the statement.

    Code php:
    if ($stmt = mysqli_prepare($link, 'INSERT INTO database WHERE username = "?"')) {
        mysqli_stmt_bind_param($stmt, "s", $username);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($stmt, $result);
        mysqli_stmt_fetch($stmt);
    }
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  17. #17
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by paul_wilkins View Post
    With procedural mysqli, I prefer to not have the variable embedded within the string, which PHP then has to decode:

    Code php:
    $username = mysqli_real_escape_string($link, $username);
    $result = mysqli_query("INSERT INTO database WHERE username = '$username'");

    Instead, I prefer to concatenate the variable to the string, so that it's visually easier to see what's going on:


    Code php:
    $username = mysqli_real_escape_string($link, $username);
    $result = mysqli_query('INSERT INTO database WHERE username = "' . $username . '"');
    Thank you Paul.

    I'll be truthful, I don't know the difference there due to me never having used concatenation much, or like that specifically, but I am reading about it right now.

    Does anyone have any input on my "escaping-variable-different-ways-throughout-code" question (post #11)? Once I confirm that one way or another, I think my lessons for today are complete!

    You are all a great help.

  18. #18
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by oknow View Post
    Does anyone have any input on my "escaping-variable-different-ways-throughout-code" question (post #11)?
    Last year I summarised input/sanitize/output/escape issues in this Handling Input and Output post in the coding tips sticky thread.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  19. #19
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks again Paul. Reading now.

    Reading this thread over a few times, I'm actually thinking about reworking a lot of my code.

    I might completely remove all entries of the following at the top of all of my pages:

    PHP Code:
    if (isset($_SESSION['username']) && (isset($_SESSION['userid'])) {
         
    $username $_SESSION['username'];
         
    $user_id $_SESSION['user_id'];

    and just use $_SESSION['username/user_id'] whenever I need to input or output the username/user_id.

    I figure, why bother setting them as variables unless I need them to be, ie to prepare them for database insertion, for example:

    PHP Code:
    $username mysqli_real_escape_string($link$_SESSION['username']);
    $result mysqli_query("INSERT INTO database (one, two, three) VALUES ('1', '2', '3') WHERE username = '$username'"); 
    But for any stuff that is just output on my page (welcome messages, menu links, etc) I will just do this:

    PHP Code:
    echo 'Welcome' htmlspecialchars($_SESSION['username']) . '.'
    PHP Code:
    // a user navigation link
    <?php echo '<a href="blah.php?user=' htmlspecialchars($_SESSION['username']) . '">' ?>Blah</a>
    Sorry for rambling on and on, but this thread got me thinking about how I was writing my code in certain ways.. and it seems a bit pointless/redundant to do it the way I am currently doing it. Especially if I am going to be re-setting $username throughout my code with different escape functions anyway, why bother setting it at a point where I'm not even using it yet. Unless there is any reason I shouldn't use the session variables straight up like that?

  20. #20
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by oknow View Post
    Unless there is any reason I shouldn't use the session variables straight up like that?
    The main reason is in terms of encapsulation.

    It's best if you don't have global variables scattered all throughout your code. Not only is it difficult to keep track of what you've used and where, it also becomes a real pain in the butt if you have to change one of those global variable names.

    See for example this article about PHP globals in functions

    To help resolve those issues, assign the global variable to a local variable so that there are less instances of global variables scattered about the place.


    Another reason is something called code smells (wikipedia), which are indications of deeper problems. There's quite a comprehensive list of them over at the code smells (Coding Horror) page.

    In this case, superglobal variables should not be trusted because you cannot guarantee what they contain. Yes it's possible to sanitize and validate them and rewrite the clean version back in to the superglobal, but then when viewing the code later, on you won't know if the superglobal is clean or not.

    Due to the dangerous potential of superglobals, any time you see them in your code you should ensure that they are cleaned and assigned to local variables, and those problems go away. If they appear without being appropriately handled, that should fire off some warning bells to ensure that they are.

    Appropriate handling of them with PHP 5.2 or better

    Code php:
    $username = filter_input(INPUT_GET, 'username', FILTER_SANITIZE_STRING);

    or:

    Code php:
    $username = filter_var($_SESSION['username'], FILTER_SANITIZE_STRING);

    And before PHP 5.2

    Code php:
    $username = '';
    if (isset($_SESSION['username'])) {
        $username = $_SESSION['username'];
    }

    And if your server still has magic quotes enabled, you should follow the advice from this Disabling Magic Quotes page.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  21. #21
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Is the page index.php which is the start of your website, also in this directory?

    $_SERVER['DOCUMENT_ROOT']

  22. #22
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Cups View Post
    Is the page index.php which is the start of your website, also in this directory?

    $_SERVER['DOCUMENT_ROOT']
    doc root is /x/

    website files are in /x/website/

    includes are in /x/includes/

    need to sort out protecting my includes someday, am hoping to sort out this escaping issue (assuming there is one) first

    note: when site is tested live doc root is /, main website files are in /, and includes are in /includes. hence the need to protect them.. but that is a job for later.

  23. #23
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do you guys use the Hungarian notation for variables?

  24. #24
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I do use a simple form of it - prefixing variable names with 3 letters depending on its type (str, int, dec, arr, obj etc). I know it's not a popular practice and others on here may disagree, but I find it quite beneficial and have found no downsides to it so far.

  25. #25
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I think I actually get the hang of it now, and I re-did my code in the style of your example. Not just copy paste, but did it piece by piece while reading your post, which I have probably read near fifty times already last night and today.. no exaggeration.

    I am very eager to learn not only the RIGHT way to do things, but to know why.

    I do have two more things I am wondering about. And these will be the last things for now. I feel privileged enough to have the amazingly detailed help you have given me, but anything further and I feel like I should start paying you.

    Firstly, I am wondering (and you have probably said so but it flew over my head) what the point is of the first set of filtering, when those variables aren't in use at that time and you end up having to escape them differently in the query anyway?

    My guess: The initial filtering is simply an extra line of defense. And the filters that are applied stick with those variables, and mysqli_real_escape_string is an ADDITIONAL measure of safety on TOP of that filtering. Would this be right?

    Secondly, I have never used sprintf before so that query format was/is rather foreign to me, but I think (due to your explanations) that I understand it.

    If I do understand it, this:

    PHP Code:
    (%d"%s"
    Just means that the variables that are going to be in those positions, are going to be of the designated %type. And then AFTER that, you state what those variables are and escape them, in the same order as the %values are listed.

    I am very used to just setting my variables with escapes and then inserting them directly, like in my final example before your epic post. I am guessing from what you have told me, that is when the variables 'persist' and is not a good thing.

    I thank you deeply, your explanations are worded absolutely brilliantly, clearly, and with great detail. Even if I don't entirely get all of it, your wording suits the way that my brain works.

    You should write a book or do a video series - I would purchase in an instant.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •