#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171

    Comparing 2 html_escape functions. Which one is prefered?


    These are pretty much the same, right?
    PHP Code:
    if (!function_exists('html_escape'))
        {
            function 
    html_escape($var)
                {
                    if (
    is_array($var))
                        {
                            return 
    array_map('html_escape'$var);
                        }
                    else
                        {
                            return 
    htmlspecialchars($varENT_QUOTESconfig_item('charset'));
                        }
                }
        } 
    PHP Code:
    function html_escape($raw_input)
        {
            return 
    htmlspecialchars($raw_inputENT_QUOTES ENT_HTML401'UTF-8');     
        } 
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,066
    Rep Power
    9398
    The first one won't redefine itself (something you should never have to account for), handles arrays, doesn't use the ENT_HTML401 option, and gets the charset from a function call.

    But besides that, yes they're the same.
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    Originally Posted by requinix
    The first one won't redefine itself
    I think I am missing what you mean. Please explain.
    Originally Posted by requinix
    Doesn't use the ENT_HTML401 option
    I see that. But can please explain the benefits?

    Thank you
  6. #4
  7. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,066
    Rep Power
    9398
    Originally Posted by zxcvbnm
    I think I am missing what you mean. Please explain.
    Without the function_exists() stuff, if you include() the file more than once the function would be defined multiple times. Or rather it wouldn't be because PHP doesn't allow that and instead you'll get errors.
    That why I said you should never have to account for it: if a file defines a function (or class) then it should always be require_once()ed.

    Originally Posted by zxcvbnm
    I see that. But can please explain the benefits?
    All I said was that the second one uses it. Honestly, I don't know what difference it makes.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by requinix
    Honestly, I don't know what difference it [the ENT_HTML401 flag] makes.
    The flag specifies which entity should be used for single quotes. XHTML (and HTML5) have ', HTML 4 doesn't and uses the numbered entity instead.

    PHP Code:
    var_dumphtmlspecialchars("'"ENT_QUOTES ENT_HTML401'UTF-8') );
    var_dumphtmlspecialchars("'"ENT_QUOTES ENT_XHTML'UTF-8') ); 
    Since ENT_HTML401 is already the default, it's not necessary to write it down. But I still do it for clarity.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    I guess Codeigniters security sucks only when it comes to hashing.

    They have done a good job with SQL Injeciton , csrf and xss .

    Do you agree?
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,989
    Rep Power
    375
    hashing? what does hashing have to do with your original question?
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by zxcvbnm
    I guess Codeigniters security sucks only when it comes to hashing.

    [...]

    Do you agree?
    No.

    The only good part about their XSS protection is the trivial htmlspecialchars() wrapper above. Their custom XSS filter is highly dubious, as we already found out.

    For CSRF protection (and everything else) they use weak random numbers generated by uniqid().

    For the database stuff they use escaping instead of prepared statements. Well, OK.

    Now, this is not so bad that you'd have to immediately give up CI. But their security is far from being state-of-art -- in every aspect.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo