|
|
Posted by Michael Fesser on 09/01/07 10:04
..oO(The Natural Philosopher)
>Michael Fesser wrote:
>
>> Only if the ID is a string. Numeric values are not quoted. And with
>> embedded variables or sprintf() you won't even have to worry about the
>> order of quotes and dots, which is a really error-prone style of writing
>> a query:
>>
>> $q = "SELECT * FROM table1 WHERE id = $id";
>>
>> $q = sprintf("SELECT * FROM table1 WHERE id = %u", $id);
>
>That is worth doing: The overhead on printf/sprintf is massive compared
>with a print, and especially an echo statement.
Of course it is, but it's only an issue if you call it a million times
in a loop. In normal code you won't be able to notice a difference.
(s)printf() has many advantages, especially when you want to build a
string with many embedded variables or even complex expressions. Just
using echo and string concatenation could lead to really ugly code.
>> Your error_reporting is set improperly.
>>
>*shrug* improperly as defined by who?
>The world runs on opinion, stated as fact....
While developing error_reporting should be set to E_ALL | E_STRICT.
Proper and correct code doesn't throw any notices, because even a notice
can be the reason of really nasty bugs.
>> A bug in your code. Usually all you have to do is this:
>>
>> * when receiving the POST data, remove slashes if magic quotes are on
>> * use a proper escaping function to insert the data into the DB
>> * when printing it out, use htmlspecialchars()
>>
>> That's it. Correct, reliable and no problem with slashes.
>
>Well that's another way. Ends up with the same number of manipulations...
Actually it works, while yours obviously doesn't.
>>> Any POST data that needs to be inserted into input fields and the like -
>>> goes through this:-
>>>
>>> function sanitise($string)
>>> {
>>> $string=stripslashes($string); // remove any backslashes
>>> $string=htmlspecialchars($string); // turn oddities that HTML barfs
>>> // on into ampersand stuff
>>> return $string;
>>> }
>>
>> If you have to call stripslashes() on output you've made a mistake
>> somewhere else. It's never necessary for printing out something.
>>
>
>again, it wasnt for printing: the magic_quotes applied it to post data.
>It ws for re0insertin into formss.
Yes, and this means output/printing to an HTML page.
>> printf("value='%s'", htmlspecialcars($my_value));
>>
>Printf is slow, and an unnecessary overhead.
As said, it has its advantages.
>At some point you have to
>decide between speed and coding clarity.
(s)printf() is not an issue here. You might want to read about premature
optimization if you like. Use a profiler to find the real bottlenecks in
your code.
Micha
[Back to original message]
|