[Resolved] Best practices with the print command.

unreal128

There are different approaches to enclosing the content you want to be printed with either a ', " or . I am assuming these are handled in the same way they are in a shell (" = literal, ' = literal w/ control characters bypassed,= output from command.)

What is the best approach for PHP programmers in regards to this. For example, I usually just enclose HTML in double quotes "". Is there an advantage though to putting single quotes and escaping the control characters (eg. >) or is this just more work. Also is it advantageous to enclose SQL variables in `when framing it as an SQL query assigned to PHP variable.

My main intent is to provide the most secure code against SQL injections or manipulation by feeding malformed data to my PHP scripts. Also, if anyone has any good tips for cleaning passwords before they are processed, it would be appreciated.

paulnaj

Hi unreal,

The single- or double-quotes business is clear for me. Always single, unless I have to use double (e.g. echo-ing a newline "\n").

Reasons ...
1) HTML is easier ...

echo '<td width="10">';

... rather than ...

echo "<td width=\"10\">";

2) You can't embed your variables in single-quoted strings, forcing you to cut in and out ...

echo 'Hello, '.$your_name.', my name is '.$name;

... is easier to read, debug and is fractionally faster than ...

echo "Hello, $your_name, my name is $name";

For SQL, if you use very distinctive table/field names then the back-ticks aren't necessary, but why not use them anyway. They always work, whereas not using them sometimes doesn't.

The thing with PHP is that you can get away with a lot of stuff (like using variables without declaring them) that you can't in other languages. In the end, for bigger projects especially, it's best to be as rigorous as possible.

Neither of these two things will guard you against injections though. That's to do with validation of data ... do you get a number if you're expecting a number? ... is it in range? ... that sort of thing.

If you assume that every piece of data sent is potentially malicious, you won't go far wrong.

Hope that helps!

Paul

unreal128

Thanks for the quick response, this is exactly what I wanted to hear. I wanted to make sure it wasn't just me.

Here is a good quickie I found for cleaning the data before accessing against a database.

$safe_data = strtr(addslashes($data),array('_' => '_', '%' => '\%'));

Here is a description of the 2 commands used...
http://www.php.net/manual/en/function.strtr.php
http://www.php.net/addslashes

It basically takes any potential control characters and escapes them.

bradgrafelman

Or, do that all in one (mostly) command:

if(!get_magic_quotes_gpc()) $safe_data = mysql_real_escape_string($data, $mysql_link); else $safe_data = mysql_real_escape_string(stripslashes($data), $mysql_link);

[man]mysql_real_escape_string/man

unreal128

This handles it alot more cleanly, thanks.