In a PHP Security tutorial, I have seen following codes and explanations.
<?php
$search = (isset($_GET['search']) ? $_GET['search'] : '');
?>
//This approch can be obscure the fact that $search is tainted, particulary for inexperienced developers. Contrast this with the following:
<?php
$search = '';
If (isset($_GET['search'])) {
$search = $_GET['search'];
} ?>
// This approch is identical, but one line in particular now draws much attention.
$search = $_GET['search'];
// Without altering the logic in any way, it is now more obvious whether $search is tainted and under what condition.
In here, I am very confused that both of these codes are completely same and do same job. Also, I have seen the first approach in a lot of tutorials written by proffesionals. So my problem is What is the better approach in security perspective? Also, what is the different of above couple of approaches. Please explain this as simple as possible. Thank you for any help.
Aucun commentaire:
Enregistrer un commentaire