0

I wrote a code.. but now I don't know which version is a better one.. Is there any possibility couse of 1st version my code is vulnerable?

Version 1:

$destination = $_POST['var'];
$destination = strip_tags(trim($destination));

Version 2:

$destination = strip_tags(trim($_POST['var']));
Improve this question
3
  • 1
    On a side note: Personnaly, I'd trim after strip_tags, 'cause you may still end up with whitespace on either side after you removed tags from your already trimmed string (for instance, with <p> <-- see the space after > </p>. Commented Oct 4, 2010 at 18:21
  • good point.. but I gues it will work just fine for me as it is.. thanks! Commented Oct 4, 2010 at 18:26
  • I hope this escaping is not for database... Commented Oct 4, 2010 at 19:05

6 Answers 6

Reset to default
4

As neither strip_tags nor trim change the input string, there is absolutely no difference between the two versions.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

They're both exactly the same.
What are you escaping the input for? Database? XSS?

Improve this answer

Comments

0

Both snippets are exactly the same. Some people will say the first one is better for readability and some people will say the second one is better for conciseness.

Improve this answer

Comments

0

Both of the versions mean SAME, you can use any. In my opinion you must use the filter_var, to filter the the input string...

Improve this answer

Comments

0

Both versions are the same in terms of vulnerability. If injection is what you're worried about, you may want to include addslashes().

Which is better? Version 2 will actually benchmark a little faster. Setting a variable to another is just an unnecessary step in the process. I would suggest that version 1, while not technically wrong, is bad practice. Even though the resulting value is the same.

Improve this answer

Comments

-2

Well, strip_tags can still be exploited. A slightly better solution might be the following:

$destination = htmlentities(trim($_POST['var']));

However this is still not enough, extra work should be done if the $_POST['var'] will go into the database.

Make sure that you understand what htmlentities() does exactly before implementing it in your code on a production level.

Improve this answer

6 Comments

I read once a topic about this one... and someone said that it might corrupt databese if it will be filled with &quot; etc. and I use mysql_real_ecape_string too.
It's not going to "corrupt the database", but htmlentities() has absolutely nothing to do with input; it's only useful for escaping output.
The reason i suggested htmlentities() is when the input is being output from the database .. strip_tags() will do nothing to prevent an XSS or other vulnerabilities in that case.
@Link- That doesn't make sense. Input does not come from the database via $_POST. Escaping HTML entities is important, but not on data going into the database. It should only be done with data coming from the database, immediately before it leaves your app via STDOUT.
@meagar: for one, htmlentities() serves as a multiple purpose input filtration. Not only does it help filter XSS but also reduces the risk of sql injection. for two, filtering the output after it leaves the database can still produce code insecurities (Think of log poisoning etc...). Filtering the output as it leaves the app is not practical either! Imagine outputting the data in diverse areas, you have to filter all of them?! That's not a very good practice is it?!
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.