PHP Classes
elePHPant
Icontem

Author has been a prolific contributor to PHPClasses, so I do...

Recommend this page to a friend!

      Gamify  >  All threads  >  Author has been a prolific...  >  (Un) Subscribe thread alerts  
Subject:Author has been a prolific...
Summary:Package rating comment
Messages:3
Author:Yakim
Date:2014-03-20 21:53:02
Update:2014-03-21 06:58:23
 

Yakim rated this package as follows:

Utility: Sufficient
Consistency: Sufficient
Examples: Bad

  1. Author has been a prolific...   Reply   Report abuse  
Yakim - 2014-03-20 21:53:02
Author has been a prolific contributor to PHPClasses, so I don't wish to "hurt his feelings" but...

This code exhibits BAD coding practices. Does the site staff not have a responsibility to review/reject submissions which lack attention to input validation? Do we not have a collective responsibility to perform peer review of submitted code and to press for "best practices"?

echo "some static string";
(example of unnecessary string eval)

db->insert($POST["unsanitized_string"]
(example of NOT ON _MY_ WATCH dammit)

echo "<option value='".$val["ID"]."'>".$val["level_name"]."</option>";
( Let's see.. should I use quot, or quotquot, or "quotey dot quotey" )

  2. Re: Author has been a prolific...   Reply   Report abuse  
Yakim - 2014-03-20 22:14:44 - In reply to message 1 from Yakim
I do want to "soften" my apparent criticism above by pointing out that I respect and appreciate the class author's website. It's been in my bookmarks list for several years.

http://webcodingeasy.com

  3. Re: Author has been a prolific...   Reply   Report abuse  
Arturs Sosins - 2014-03-21 06:58:23 - In reply to message 2 from Yakim
Hello Yakim

No hard feelings :)

Maybe you are right, but in my defense, I was using prepared queries, which by definition, does not require sanitizing:

"The purpose of prepared statements is to not include data in your SQL statements. Including them in your SQL statements is NOT safe. Always use prepared statements. They are cleaner to use (code easier to read) and not prone to SQL injections."

Maybe I missed something in the code?