[nycphp-talk] Promote Secure Coding
Gary Mort
garyamort at gmail.com
Wed May 21 13:30:05 EDT 2014
On 05/21/2014 01:14 PM, Chris Snyder wrote:
> Why use an anonymous function? That seems less readable than declaring
> function get( $varName ), and the explanation of anonymous functions
> distracts from your point, which is that you should always filter input.
To make it cut and pasteable without any thought.
File A:
$get = function($varName) {};
....lots of code in a file....
File B:
$get = function($varName) {};
include('filea.php');
Unbroken, usable code despite re-declaration. A little bit of extra memory will be used, but thats a small price to pay.
File A:
function get($varName) {};
....lots of code in a file....
File B:
function get($varName) {};
include('filea.php');
^^^^breaks because the function get is already declared
Also, quite honestly the point of documenting it is not to inform the new programmer. The point is that if this is posted to the internet somewhere[I submitted a first draft to www.phptherightway.com for example]
Then in articles on programming in PHP, instead of saying:
$myVar = $_GET['myvar'];
The author can instead say:
"Include these 4 lines at the top of your file for security. If you want to learn about it see ..."
And then they can write
$myVar = $get('myvar');
And any author or book written in 2015 or later which uses the super globals in example code can be justly ridiculed on the internet. :-)
More information about the talk
mailing list