appdb security
EA Durbin
ead1234 at hotmail.com
Thu Jun 8 18:44:15 CDT 2006
>>Is there a reason why we don't do the if(empty()) check inside of
>>makeSafe()?
as in put the if(empty()) inside of the function itself, or pass if( empty
(makeSafe( $_REQUEST['appId'] ) ) ) when we assign it?
the reason I didn't put it in the makeSafe function was because we were
testing to see if the variable was isset or empty and determining on the
point of the application the result was either set to "" or 0, you could do
it inside of the makeSafe() function but returning "" may not always be the
desired results.
you could call the empty() test while you were assigning it, I just always
start out assigning all of the user input variables I'm going to use at the
top of the page by passing them through makeSafe.
function makeSafe( $var )
{
$var = trim( addslashes( $var ) );
return $var;
}
$clean['var1'] = makeSafe( $_REQUEST['var1'] );
$clean['var2'] = makeSafe( $_REQUEST['var2'] );
then any subsequent test called upon the variables are ensured to be clean.
if your desired output of makeSafe is to be "" if its empty then you could
put the empty() test inside of makeSafe, but further down in the app we were
testing for empty and returning 0.
More information about the wine-devel
mailing list