For whom are unaware [PHP]

**JaydenC** · 11-04-12

http://www.phparch.com/2010/07/never-use-_get-again/

I must refer you to this, as I see alot of people using old functions and insecure data-receiving.

Essentially its a new way of securing post and get data in PHP 5.2

EG :

PHP Code:


<?php
$unfiltered_data = filter_input(FILTER_GET, ‘unfiltered_data’, FILTER_UNSAFE_RAW);
?>

I just wanted to post this so someone could learn something.

**MentaL**

**Aaron** · 11-04-12

I suppose, but MySQLi poses anti-injection all the way with prepared statements.
I think that is honestly the way to go, tbh.

**JaydenC** · 11-04-12

Originally Posted by Aaron

I suppose, but MySQLi poses anti-injection all the way with prepared statements.
I think that is honestly the way to go, tbh.

Of course, But this is for most of the users here who are beginning.

I would just hope that people can start learning some decent security in there code.

Anyways, Yes you should look into MySQLi if your looking for structured security.

**TimeBomb** · 11-04-12

Originally Posted by </Jayden>

http://www.phparch.com/2010/07/never-use-_get-again/

I must refer you to this, as I see alot of people using old functions and insecure data-receiving.

Essentially its a new way of securing post and get data in PHP 5.2

EG :

PHP Code:


<?php
$unfiltered_data = filter_input(FILTER_GET, ‘unfiltered_data’, FILTER_UNSAFE_RAW);
?>

I just wanted to post this so someone could learn something.

Did some simple benchmarking of a few things.

PHP Code:


    // Average over 100,000 iterations: 10.5ms
    $a = $_GET['a'];
    
    // Average over 100,000 iterations: 27.6ms
    $a = htmlentities($_GET['a']);
    
    // Average over 100,000 iterations: 51.4ms
    $a = filter_input(INPUT_GET, 'a', FILTER_SANITIZE_STRING);
    
    // Average over 100,000 iterations: 56.8ms
    $a = filter_input(INPUT_GET, 'a', FILTER_UNSAFE_RAW);

Actual benchmark code:

PHP Code:


<?php
$start = microtime();

for($i = 0; $i < 100000; $i++) {
    $a = $_GET['a'];
}

$end = microtime();

$result = round($end - $start, 4);
echo 'Time Elapsed: ' . $result;
?>

To get the numbers, I benchmarked each line separately 10 times to get the average. Converted the number, which were in seconds, to milliseconds.

I would rather use code that is quicker both in execution and when actually writing the code, wherein I can read it more easily and I and everyone else reading the code actually knows exactly how it is secured; not to mention some strings don't need, or perhaps will not work even correctly with certain types of supposed security.

/2cents

**JaydenC** · 11-04-12

Originally Posted by timebomb

Did some simple benchmarking of a few things.

PHP Code:


    // Average over 100,000 iterations: 10.5ms
    $a = $_GET['a'];
    
    // Average over 100,000 iterations: 27.6ms
    $a = htmlentities($_GET['a']);
    
    // Average over 100,000 iterations: 51.4ms
    $a = filter_input(INPUT_GET, 'a', FILTER_SANITIZE_STRING);
    
    // Average over 100,000 iterations: 56.8ms
    $a = filter_input(INPUT_GET, 'a', FILTER_UNSAFE_RAW);

Actual benchmark code:

PHP Code:


<?php
$start = microtime();

for($i = 0; $i < 100000; $i++) {
    $a = $_GET['a'];
}

$end = microtime();

$result = round($end - $start, 4);
echo 'Time Elapsed: ' . $result;
?>

To get the numbers, I benchmarked each line separately 10 times to get the average. Converted the number, in seconds, to milliseconds.

I would rather use code that is quicker both in execution and when actually writing the code, wherein I can read it more easily and I and everyone else reading the code actually knows exactly how it is secured; not to mention some strings don't need, or perhaps will not work even correctly with certain types of supposed security.

/2cents

I see what you did there.
Thanks.

For whom are unaware [PHP]

Thread Tools

For whom are unaware [PHP]

Re: For whom are unaware [PHP]

Re: For whom are unaware [PHP]

Re: For whom are unaware [PHP]

Re: For whom are unaware [PHP]

Advertisement