+ Reply to Thread
Results 1 to 4 of 4

Thread: Security Risk?

  1. #1
    Full Member Marshall is on a distinguished road
    Join Date
    May 2004
    Posts
    69

    Security Risk?

    Normally when I code php i write things with interchanging quotes instead of breaking out of the quotes. Is this a security risk to the code and should I start breaking out of quotes instead of switching em? (examples below)

    Interchanging quotes:
    PHP Code:
    echo '<a href="blablabla">blablabla</a>'
    Breaking out:
    PHP Code:
    echo "<a href=\"blablabla\">blablabla</a>"

  2. #2
    Full Member dzone is on a distinguished road
    Join Date
    Dec 2003
    Posts
    75
    Marshall

    AFAIK there is no any security risk unless you are using backtricks (" ` "). The fact is that the backtricks are also used as an alias for the exec() function wich allows you to run server jobs from the PHP scripts. This will run "bar" on server:

    PHP Code:
    $foo "/usr/bin/bar";
    echo `
    $foo`; 
    Here is the quote from the Manual about the strings:

    Syntax
    A string literal can be specified in three different ways.

    single quoted
    double quoted
    heredoc syntax

    Single quoted

    The easiest way to specify a simple string is to enclose it in single quotes (the character ').

    To specify a literal single quote, you will need to escape it with a backslash (\), like in many other languages. If a backslash needs to occur before a single quote or at the end of the string, you need to double it. Note that if you try to escape any other character, the backslash will also be printed! So usually there is no need to escape the backslash itself.

    Note:
    Unlike the two other syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings.


    Double quoted
    If the string is enclosed in double-quotes ("), PHP understands more escape sequences for special characters:

    Table 2.1. Escaped characters
    sequence meaning
    \n linefeed (LF or 0x0A (10) in ASCII)
    \r carriage return (CR or 0x0D (13) in ASCII)
    \t horizontal tab (HT or 0x09 (9) in ASCII)
    \\ backslash
    \$ dollar sign
    \" double-quote
    \[0-7]{1,3} the sequence of characters matching the regular expression is a character in octal notation
    \x[0-9A-Fa-f]{1,2} the sequence of characters matching the regular expression is a character in hexadecimal notation

    Again, if you try to escape any other character, the backslash will be printed too!

    But the most important feature of double-quoted strings is the fact that variable names will be expanded. See string parsing for details.
    So it turns out that the only difference is that the variables are not expanded in the single-quote case and less escape-characters are parsed.

    If you have other concerns please share; I never thought about this before you asked...
    ------------------------------------
    [URL=http://www.dedicatedzone.com]Managed Dedicated Servers[\URL]

  3. #3
    Active Member Revenant is on a distinguished road
    Join Date
    May 2004
    Location
    Chicago, IL US of A
    Posts
    108
    I never knew that. Thanks a load guys...Have to go on and modify all my scripts now
    // Rev
    // Ivan Alfaro
    -- Professional Web Developer

  4. #4
    Full Member dzone is on a distinguished road
    Join Date
    Dec 2003
    Posts
    75
    Glad it helped someone

+ Reply to Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts