For whom are unaware [PHP]

[JaydenC]

You must be registered to see links

I must refer you to this, as I see alot of people using old functions and insecure data-receiving.

Essentially its a new way of securing post and get data in PHP 5.2

EG :

<?php
$unfiltered_data = filter_input(FILTER_GET, ‘unfiltered_data’, FILTER_UNSAFE_RAW);
?>

I just wanted to post this so someone could learn something.

 

[Aaron]

I suppose, but MySQLi poses anti-injection all the way with prepared statements.
I think that is honestly the way to go, tbh.

 

[JaydenC]

I suppose, but MySQLi poses anti-injection all the way with prepared statements.
I think that is honestly the way to go, tbh.

Of course, But this is for most of the users here who are beginning.

I would just hope that people can start learning some decent security in there code.

Anyways, Yes you should look into MySQLi if your looking for structured security.

 

[TimeBomb]

You must be registered to see links

I must refer you to this, as I see alot of people using old functions and insecure data-receiving.

Essentially its a new way of securing post and get data in PHP 5.2

EG :

<?php
$unfiltered_data = filter_input(FILTER_GET, ‘unfiltered_data’, FILTER_UNSAFE_RAW);
?>

I just wanted to post this so someone could learn something.

Did some simple benchmarking of a few things.

    // Average over 100,000 iterations: 10.5ms
    $a = $_GET['a'];
    
    // Average over 100,000 iterations: 27.6ms
    $a = htmlentities($_GET['a']);
    
    // Average over 100,000 iterations: 51.4ms
    $a = filter_input(INPUT_GET, 'a', FILTER_SANITIZE_STRING);
    
    // Average over 100,000 iterations: 56.8ms
    $a = filter_input(INPUT_GET, 'a', FILTER_UNSAFE_RAW);

Actual benchmark code:

<?php
$start = microtime();

for($i = 0; $i < 100000; $i++) {
    $a = $_GET['a'];
}

$end = microtime();

$result = round($end - $start, 4);
echo 'Time Elapsed: ' . $result;
?>

To get the numbers, I benchmarked each line separately 10 times to get the average. Converted the number, which were in seconds, to milliseconds.

I would rather use code that is quicker both in execution and when actually writing the code, wherein I can read it more easily and I and everyone else reading the code actually knows exactly how it is secured; not to mention some strings don't need, or perhaps will not work even correctly with certain types of supposed security.

/2cents

 

[JaydenC]

Did some simple benchmarking of a few things.

    // Average over 100,000 iterations: 10.5ms
    $a = $_GET['a'];
    
    // Average over 100,000 iterations: 27.6ms
    $a = htmlentities($_GET['a']);
    
    // Average over 100,000 iterations: 51.4ms
    $a = filter_input(INPUT_GET, 'a', FILTER_SANITIZE_STRING);
    
    // Average over 100,000 iterations: 56.8ms
    $a = filter_input(INPUT_GET, 'a', FILTER_UNSAFE_RAW);

Actual benchmark code:

<?php
$start = microtime();

for($i = 0; $i < 100000; $i++) {
    $a = $_GET['a'];
}

$end = microtime();

$result = round($end - $start, 4);
echo 'Time Elapsed: ' . $result;
?>

To get the numbers, I benchmarked each line separately 10 times to get the average. Converted the number, in seconds, to milliseconds.

I would rather use code that is quicker both in execution and when actually writing the code, wherein I can read it more easily and I and everyone else reading the code actually knows exactly how it is secured; not to mention some strings don't need, or perhaps will not work even correctly with certain types of supposed security.

/2cents

I see what you did there.
Thanks.