|
|
Posted by The Natural Philosopher on 09/01/07 18:34
Michael Fesser wrote:
> .oO(The Natural Philosopher)
>
>> Michael Fesser wrote:
>>
>>> Only if the ID is a string. Numeric values are not quoted. And with
>>> embedded variables or sprintf() you won't even have to worry about the
>>> order of quotes and dots, which is a really error-prone style of writing
>>> a query:
>>>
>>> $q = "SELECT * FROM table1 WHERE id = $id";
>>>
>>> $q = sprintf("SELECT * FROM table1 WHERE id = %u", $id);
>> That is worth doing: The overhead on printf/sprintf is massive compared
>> with a print, and especially an echo statement.
>
> Of course it is, but it's only an issue if you call it a million times
> in a loop. In normal code you won't be able to notice a difference.
> (s)printf() has many advantages, especially when you want to build a
> string with many embedded variables or even complex expressions. Just
> using echo and string concatenation could lead to really ugly code.
>
>>> Your error_reporting is set improperly.
>>>
>> *shrug* improperly as defined by who?
>> The world runs on opinion, stated as fact....
>
> While developing error_reporting should be set to E_ALL | E_STRICT.
> Proper and correct code doesn't throw any notices, because even a notice
> can be the reason of really nasty bugs.
>
>>> A bug in your code. Usually all you have to do is this:
>>>
>>> * when receiving the POST data, remove slashes if magic quotes are on
>>> * use a proper escaping function to insert the data into the DB
>>> * when printing it out, use htmlspecialchars()
>>>
>>> That's it. Correct, reliable and no problem with slashes.
>> Well that's another way. Ends up with the same number of manipulations...
>
> Actually it works, while yours obviously doesn't.
>
Well it does.
>>>> Any POST data that needs to be inserted into input fields and the like -
>>>> goes through this:-
>>>>
>>>> function sanitise($string)
>>>> {
>>>> $string=stripslashes($string); // remove any backslashes
>>>> $string=htmlspecialchars($string); // turn oddities that HTML barfs
>>>> // on into ampersand stuff
>>>> return $string;
>>>> }
>>> If you have to call stripslashes() on output you've made a mistake
>>> somewhere else. It's never necessary for printing out something.
>>>
>> again, it wasnt for printing: the magic_quotes applied it to post data.
>> It ws for re0insertin into formss.
>
> Yes, and this means output/printing to an HTML page.
>
Semantics.
All I am saying is that if something is coining in from a POST with
backslashes and quotes, to set it up right for web printing if thats
what you call it, it has to be de backslashed and special-charred.
If you take the magic off, it has to BE backslashed for SQL and still
has to be html special charred for the screen.
Thats two explicit coded transformations instead of one implicit (the
'magic') and one explicit.
I am sure we could argue all week about subtleties of style, and detail
where one or the other is better, but I have code to write, and I can't
be arsed.
>>> printf("value='%s'", htmlspecialcars($my_value));
>>>
>> Printf is slow, and an unnecessary overhead.
>
if it had no advantages it would never have been written. But writing a
200 long SELECT <OPTION >statement with a call to printf for each one..
Maybe I am old fashioned, but I try not to use sledgehammers to crack
nuts, especially in loops. Comes from starting out with a Z80 ad 64K ram
and an Assembler...
>> At some point you have to
>> decide between speed and coding clarity.
>
> (s)printf() is not an issue here. You might want to read about premature
> optimization if you like. Use a profiler to find the real bottlenecks in
> your code.
>
well the slows thing is digesting large amounts of javascript ;-)
But thats outside the scope here.
> Micha
[Back to original message]
|