A web developer’s diary

September 30, 2006

Cool tips for PHP Programmers

Filed under: PHP — Celia @ 1:02 pm

1) My aversion towards addslashes:

My first-ever associate friend liked addslashes a lot. She liked it so much that she used it extensively even in places where it is not needed. She taught me its mantra too. I too held on to it fast like a catholic girl holding on to her rosary. Well, till the day I tried writing a mssql query.

For those, newbie PHP programmers, let me say what addslashes() does.

addslashes()Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote (‘), double quote (“), backslash (\) and NUL (the NULL byte).

Well, I didn’t say that. But the PHP manual says it. From its very definition, a seasoned programmer can say how misleading and wrong it is. This should instead be written as “that can be quoted in mysql queries” and not database queries. Can anyone use addslashes in a MSSQL query? No, mssql has a different escape mechanism 😉

Ok, what should we do instead? Use mysql_real_escape_string() if you are using mysql** as your database. Escape quote by another quote in the case of mssql. A simple str_replace will do the trick here. Also, when you do it, take care to separate the database specific functions from the main code. That would save you from a lotta trouble later.

2) Beware of extract

I guess most of you would be familiar with extract function. It helps a lot when we use array functions.

int extract ( array var_array [, int extract_type [, string prefix]] )

This function is used to import variables from an array into the current symbol table. It takes an associative array var_array and treats keys as variable names and values as variable values. For each key/value pair it will create a variable

in the current symbol table, subject to extract_type and prefix parameters.

<?php/* Suppose that $var_array is an array returned from
wddx_deserialize */

$size = “large”;
$var_array = array(“color” => “blue”,
“size” => “medium”,
“shape” => “sphere”);
extract($var_array, EXTR_PREFIX_SAME, “wddx”);

echo “$color, $size, $shape, $wddx_size\n”;

?>

The above example will output:

blue, large, sphere, medium

However, I would say that one shouldn’t use extract with USER INPUT arrays like POST or GET. For example, take the below code

<?php
extract($_GET);

// code follows
…………
………
//

if($administrator==”1″)
{
// access priviledged information
}

?>

Just see, how easy it is to hack the above piece of code. All one needs to access classified information is to modify the url a bit and pass a administrator=1 string.

Note** – Please do not use mysql_real_escape_string with mssql functions. It would not work. This function is specific for mysql database.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: