PHP Security: Escape Output

nuweb · 11-24-2008, 12:49 PM

PHP Security: Escape Output

In the Zend Certification Study Guide it says:

Quote:

Originally Posted by Study Guide

If you prepare output by escaping it and storing it to a specific array, you can then use the latter’s contents without having to worry about whether the output has been escaped.
If you encounter a variable in your script that is being outputted and is not part of this array, then it should be regarded suspiciously. This practice will help make your code easier to read and maintain. For this example, assume that the value for $user_message comes from a database result set.

PHP Code:


			
$html = array();

$html[’message’] = htmlentities($user_message, ENT_QUOTES, ’UTF-8’);

echo $html[’message’];

So my qestion is, why an array? I can not see how that makes any difference than doing:

PHP Code:


			
echo htmlentities($user_message, ENT_QUOTES, ’UTF-8’);

or more simular

PHP Code:


			
$user_message = htmlentities($user_message, ENT_QUOTES, ’UTF-8’);

echo $user_message;

Salathe · 11-24-2008, 01:15 PM

The only conclusion I can arrive at is that it's easier to keep track of a single array (in your own mind) than any number of disparate variables (likely mixed in with un–output-prepared variables). It's not my cup of tea but if it helps someone else then that's good.

nuweb · 11-24-2008, 02:17 PM

Ahh, Zend wrote it as they thought we all forget the clean variable name.
e.g.

PHP Code:


			
$message = htmlentities($user_message, ENT_QUOTES, &#8217;UTF-8’);
echo $user_message

..

Well im happy knowing Array's dont "realy" add additional security as the paragraph suggested.

Wildhoney · 11-24-2008, 07:01 PM

More programming ambiguity, I see! Are you in the process of studying the Zend qualification or merely preparing for it?

nuweb · 11-24-2008, 08:00 PM

The Zend PHP5 Certification is booked the 2nd week into December. Ive been coding for many years now, its just a matter of learning terms and php oop.