SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-07-2008, 10:16 AM
| ||||
| ||||
 Re: code OK for large number of hits? On Mon, 05 May 2008 10:25:06 +0200, Matthias Watermann <lists@mwat.de> wrote: >On Mon, 05 May 2008 07:16:35 +0100, Geoff Cox wrote: > >> [...] >> where the user is typing a number into a box >> >> var number_check = number_given; >> if ( (number_check >7) || (number_check < 1) ) { alert("The number must >> be in the range 1 to 7!"); } else >> if (isNaN(number_check)) { >> alert("Please enter a valid number"); } else { >> sendGroup1Lab1(number_check); >> } > >You must _never_ rely on client-side validation! As far as the >server-side script is concerned you should at least assume the user >switched JavaScript off (not to mention intended malformed values). > >> I have changed (***) the php to >> >> $result1 = $_GET['answer1']; >> $result2 = $_GET['answer2']; >> $result3 = $_GET['answer3']; >> $result4 = $_GET['answer4']; > >If those values are supposed to be numbers you should at least >ensure that: > >$result1 = $_GET['answer1'] * 1; >$result2 = $_GET['answer2'] * 1; >$result3 = $_GET['answer3'] * 1; >$result4 = $_GET['answer4'] * 1; >(There's no need for those "$result" variables: Why keep the same value >in memory multiple times?) Do _not_ assume all the expected CGI >arguments are there actually but always check that. Matthias, I'm not clear what you mean above re the "no need for those "$result" variables" - could you please explain? Cheers Geoff > >> [...] >> $result4 = mysql_real_escape_string($_GET['favorite']); *** > >What's "favorite" supposed to be? A string? A number (real or integer)? >How do you validate that? > >> mysql_query("INSERT INTO mytable (answer1,answer2,answer3,answer4) >> VALUES ('$result1','$result2','$result3','$result4')"); > >The single quote are needed for string values, while those "$resultX" >variables are integers. Hence you could omit the single quotes. > >> I see that mysql_real_escape_string can only be used after connecting >> to the database? > >Yes. However, id you'd validate the user provided values there's not >much need for such a call anyway. And escaping possibly malicious >values might avoid some SQL injection problem but it does _not_ avoid >your tables being filled with useless data. > >> Is the above safer? > >Further improvement could be gained by not using the tables directly >but calling an stored procedure which could implement additional >validation. But that's another topic and probably oversized for >your application. > >However, you should switch from HTTP/GET to HTTP/POST. While that's >not a safety net as such at least it makes it a _little_ harder to >fake the CGI arguments.      |
|
05-07-2008, 10:16 AM
| |||
| |||
| Re: code OK for large number of hits? On Mon, 05 May 2008 12:51:09 +0200, Geoff Cox <gcox@freeuk.notcom> wrote: >> If those values are supposed to be numbers you should at least >> ensure that: >> >> $result1 = $_GET['answer1'] * 1; >> $result2 = $_GET['answer2'] * 1; >> $result3 = $_GET['answer3'] * 1; >> $result4 = $_GET['answer4'] * 1; > > >> (There's no need for those "$result" variables: Why keep the same value >> in memory multiple times?) Do _not_ assume all the expected CGI >> arguments are there actually but always check that. > > Matthias, > > I'm not clear what you mean above re the "no need for those "$result" > variables" - could you please explain? It's more of a discussion for comp.lang.php. However, I do NOT agree that those $result variables are unneeded: it's a Good Practise to leave the GET/POST/COOKIE/ARG superglobals arrays as read-only. Who knows what other code would do next? And one could want to log illegal values later on for instance. As soon as one wants to alter it, use a 'normal' variable. Certainly with the limited GET array, memory will seldomly be the problem. Nothing to do with MySQL anymore, f'up comp.lang.php -- Rik Wasmus |
|
05-07-2008, 10:16 AM
| |||
| |||
| Re: code OK for large number of hits? On Mon, 05 May 2008 11:51:09 +0100, Geoff Cox wrote: > [...] >>(There's no need for those "$result" variables: Why keep the same value >>in memory multiple times?) Do _not_ assume all the expected CGI >>arguments are there actually but always check that. > > Matthias, > > I'm not clear what you mean above re the "no need for those "$result" > variables" - could you please explain? As I've shown in my validation examples you can "clean" the CGI arguments directly in the global "$_GET" list. I consider it a waste of memory to duplicate those values. But just was just a hint. The other points were more important. -- Matthias /"\ \ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL X - AGAINST M$ ATTACHMENTS / \ |
|
05-07-2008, 10:16 AM
| |||
| |||
| Re: code OK for large number of hits? Matthias Watermann wrote: > On Mon, 05 May 2008 11:51:09 +0100, Geoff Cox wrote: > >> [...] >>> (There's no need for those "$result" variables: Why keep the same value >>> in memory multiple times?) Do _not_ assume all the expected CGI >>> arguments are there actually but always check that. >> Matthias, >> >> I'm not clear what you mean above re the "no need for those "$result" >> variables" - could you please explain? > > As I've shown in my validation examples you can "clean" the CGI arguments > directly in the global "$_GET" list. I consider it a waste of memory to > duplicate those values. But just was just a hint. The other points were > more important. > > You can. But I agree with Rik. It is better to consider the $_GET and $_POST values to be read-only. Which is more important - maintainability and serviceability of the application, or 50 bytes of memory? But this is also a PHP question, not a MySQL one. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ================== |
|
05-07-2008, 10:16 AM
| |||
| |||
| Re: code OK for large number of hits? On Mon, 05 May 2008 10:25:06 +0200, Matthias Watermann wrote: > $hits = array(); As a completely juvenile aside, variable names like this make me giggle. -- 3. My noble half-brother whose throne I usurped will be killed, not kept anonymously imprisoned in a forgotten cell of my dungeon. --Peter Anspach's list of things to do as an Evil Overlord |
|
05-07-2008, 10:16 AM
| ||||
| ||||
| Re: code OK for large number of hits? On Mon, 05 May 2008 10:22:55 -0500, Peter H. Coffin wrote: > [...] >> $hits = array(); > > As a completely juvenile aside, variable names like this make me giggle. You're welcome! Laughing improves your health, or so I hear :-) -- Matthias /"\ \ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL X - AGAINST M$ ATTACHMENTS / \ |
Linear Mode
