TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   PHP Security: Escape Output (http://www.talkphp.com/general/3645-php-security-escape-output.html)

nuweb 11-24-2008 12:49 PM
PHP Security: Escape Output
 
PHP Security: Escape Output

In the Zend Certification Study Guide it says:
Quote:
Originally Posted by Study Guide
If you prepare output by escaping it and storing it to a specific array, you can then use the latter’s contents without having to worry about whether the output has been escaped.
If you encounter a variable in your script that is being outputted and is not part of this array, then it should be regarded suspiciously. This practice will help make your code easier to read and maintain. For this example, assume that the value for $user_message comes from a database result set.
PHP Code:
$html = array();
$html[’message’] = htmlentities($user_messageENT_QUOTES’UTF-8’);
echo $html[’message’]; 
So my qestion is, why an array? I can not see how that makes any difference than doing:
PHP Code:
echo htmlentities($user_messageENT_QUOTES’UTF-8’); 
or more simular
PHP Code:
$user_message htmlentities($user_messageENT_QUOTES’UTF-8’);
echo $user_message
:-/

Salathe 11-24-2008 01:15 PM
The only conclusion I can arrive at is that it's easier to keep track of a single array (in your own mind) than any number of disparate variables (likely mixed in with un–output-prepared variables). It's not my cup of tea but if it helps someone else then that's good.

nuweb 11-24-2008 02:17 PM
Ahh, Zend wrote it as they thought we all forget the clean variable name.
e.g.
PHP Code:
$message htmlentities($user_messageENT_QUOTES, ’UTF-8’);
echo $user_message 
..

Well im happy knowing Array's dont "realy" add additional security as the paragraph suggested.

Wildhoney 11-24-2008 07:01 PM
More programming ambiguity, I see! Are you in the process of studying the Zend qualification or merely preparing for it?

nuweb 11-24-2008 08:00 PM
The Zend PHP5 Certification is booked the 2nd week into December. Ive been coding for many years now, its just a matter of learning terms and php oop.


All times are GMT. The time now is 05:28 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0