- 论坛徽章:
- 0
|
Strings
1) As a finesse thing, I use single quotes around strings whenever
possible (e.g. strings that don't contain variables, single quotes, \n,
etc.). This is supposed to make less work for the PHP parser.
如果如果变量为纯字符串,不包含变量,则请使用单引号包含字符串。
例如: $varString = '纯字符串没有变量需要格外解析'; --->这是好习惯
$varString = "这样做PHP需要格外的解析"; --->这不是好习惯
2) When an array variable isn't in a string, put quotes around string-literal keys so they are not regarded as constants:
[color="#000000"]// 好的做法
[color="#007700"]echo [color="#0000bb"]$row[color="#007700"][[color="#0000bb"]$key];
[color="#ff8000"]// 错误的做法,PHP会先把key当做常量,会有Notice错误提示
[color="#007700"]echo [color="#0000bb"]$row[color="#007700"][[color="#0000bb"]key];
[color="#ff8000"]// 正确
[color="#007700"]echo [color="#0000bb"]$row[color="#007700"][[color="#dd0000"]'key'];
// 这个也正确,但也不是好的写法
[color="#007700"]echo [color="#dd0000"]"Text: $row[key]"[color="#007700"];
// 这样是习惯性做法
echo "Text:" . [color="#000000"]$row['key'][color="#000000"];
// 这样也比较好
printf("Text:%s", $row['key']);
3) Remember, you can break out of PHP mode for large sections of HTML.
This is faster than echo'ing and you don't need to escape quotes.
Personally I avoid any code that looks like this:
PHP Code:如果有数量比较多的字符串连接,类似大片HTML内容,这种写法超烂,但是经常看到
[color="#0000bb"]$something [color="#007700"]= [color="#dd0000"]'this';
[color="#0000bb"]$something [color="#007700"].= [color="#dd0000"]'and this';
[color="#0000bb"]$something [color="#007700"].= [color="#dd0000"]'and this';
[color="#0000bb"]$something [color="#007700"].= [color="#dd0000"]'and this';
[color="#0000bb"]$something [color="#007700"].= [color="#dd0000"]'and this';
or this:
PHP Code:
[color="#0000bb"]$something [color="#007700"]= 'this'
[color="#007700"]. 'and this'
[color="#007700"]. 'and this'
[color="#007700"]. 'and this'
[color="#007700"]. 'and this'
[color="#007700"]. 'and this'
[color="#007700"]. [color="#dd0000"]'and this';
I much prefer the following:
PHP Code:减少了字符串的连接运算,但是各别字符需要转议
[color="#0000bb"]$something [color="#007700"]= 'this
and this
and this
and this';
heredoc写法
PHP Code:
[color="#0000bb"]$string = This is a string
在这个里边有单引号双引号无所谓啦!
It can include both 'single' and "double" quotes
without needing to escape them. However, $variables
will still be interpolated as they are in double
quoted strings. Complex variable expressions such as
[color="#007700"]{[color="#0000bb"]$array[color="#007700"][[color="#dd0000"]'element'[color="#007700"]]}[color="#0000bb"] or [color="#007700"]{[color="#0000bb"]$object[color="#007700"]->[color="#0000bb"]property[color="#007700"]} can also
be included and will be evaluated if they are included
in curly braces (they may work without curly braces
but I tend to include them for added clarity). The
string will terminate with whatever you specified
at the start like this:
ENDOFSTRING;
A useful use of str_replace() :
PHP Code:
[color="#0000bb"]$string[color="#007700"]=[color="#dd0000"]"The quick brown fox jumps over the lazy dog.";
[color="#0000bb"]$patterns[color="#007700"][[color="#0000bb"]0[color="#007700"]] = [color="#dd0000"]"quick";
[color="#0000bb"]$patterns[color="#007700"][[color="#0000bb"]1[color="#007700"]] = [color="#dd0000"]"brown";
[color="#0000bb"]$patterns[color="#007700"][[color="#0000bb"]2[color="#007700"]] = [color="#dd0000"]"fox";
[color="#0000bb"]$replacements[color="#007700"][[color="#0000bb"]0[color="#007700"]] = [color="#dd0000"]"slow";
[color="#0000bb"]$replacements[color="#007700"][[color="#0000bb"]1[color="#007700"]] = [color="#dd0000"]"black";
[color="#0000bb"]$replacements[color="#007700"][[color="#0000bb"]2[color="#007700"]] = [color="#dd0000"]"bear";
[color="#0000bb"]$string[color="#007700"]=[color="#0000bb"]str_replace[color="#007700"]([color="#0000bb"]$patterns[color="#007700"], [color="#0000bb"]$replacements[color="#007700"], [color="#0000bb"]$string);
//$string="The slow black bear jumps over the lazy dog."
MySQL
Quick tips :
Never forget to use mysql_escape_string() when storing data into a database, to avoid SQL injection attacks:
PHP Code:
[color="#0000bb"]$sql[color="#007700"]=[color="#dd0000"]"SELECT * FROM table WHERE username='";
[color="#0000bb"]$sql[color="#007700"].=[color="#0000bb"]mysql_escape_string[color="#007700"]([color="#0000bb"]$username[color="#007700"]).[color="#dd0000"]"'";
What are sql injection attacks ? (SQL注射攻击)
Remember that a malicious user can change any input to anything
(number, string, etc). Many sites have some type of user login
(username password) and they check it against a database of usernames
and passwords with a mysql query like this:
(有许多不怀好意的人,会通过修改输入的信息,来搞你,许的网站的登录程序的SQL文像类似如下)
PHP Code:
[color="#dd0000"]"SELECT COUNT(*) FROM USERLIST WHERE USER='$user' AND PASS='$password'";
If the result is 0, the login fails, if the result is 1, the
login passes. What would happen if $user contained "admin';#"'. The
query would now read
PHP Code:
[color="#dd0000"]"SELECT COUNT(*) FROM USERLIST WHERE USER='admin';# AND PASS='$password'";
The semicolon denotes the end of a query, and the # means the rest of
the line is a comment. Thus, it doesn't matter what password was
entered, the query returns 1 row - access granted.
Worse yet, what if user contained the string "';$query="DROP DATABASE db" (all data deleted) :
PHP Code:这种真阴险,最损的
[color="#0000bb"]$query[color="#007700"]=[color="#dd0000"]"SELECT COUNT(*) FROM USERLIST WHERE USER='admin'"[color="#007700"]; [color="#0000bb"]$query[color="#007700"]=[color="#dd0000"]"DROP DATABASE db";
The easy way to prevent this is to use the mysql_escape_string()
function to prevent strings from breaking out of the query and doing
damage.
Quotes around numeric data in queries
For numeric columns in MySQL, you shouldn't put quotes around any of
their values in queries. As our resident database guru, MattR, says,
"that is very non-standard and will only work on MySQL." But if it's
unknown data, how do you know that it's numeric and not letters that
will cause an error? You can make sure that only a number is used in
the query by first type-casting the data as int (or float for decimal numbers):
PHP Code:SQL文中要使用的变量必须经过处理
// If id is being passed in the URL
[color="#0000bb"]$id [color="#007700"]= (int) [color="#0000bb"]$_GET[color="#007700"][[color="#dd0000"]'id'];
[color="#0000bb"]$r [color="#007700"]= [color="#0000bb"]mysql_query[color="#007700"]([color="#dd0000"]"SELECT * FROM table WHERE id=$id");
Then even if id is set to "abc," the worst that can happen is a 0 will be used in the query. No quotes; no error.
更加详细的内容查看这里
http://www.sitepoint.com/forums/showthread.php?t=456441
关于SQL安全方面的文章请查看
http://articles.sitepoint.com/article/sql-injection-attacks-safe
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/10599/showart_2116107.html |
|
免费注册
发表于 2009-12-10 10:11