jackmcdade · July 30, 2012 19:03
diff --git a/gistfile1.aw b/gistfile1.aw
 <?php

 // Bad
 $name = (!empty($_GET['name'])? $_GET['name'] : 'John');

 // Good 
 // Some basic sanitization. Make sure to clean further if inserting into database
 $name = (!empty($_GET['name'])? $_GET['name'] : 'John');
 $name = strip_tags($name);
 $name = htmlspecialchars($name, ENT_QUOTES);

 // Better
 // A helper method to fetch and clean at the same time, with a default fallback.
 function fetch_and_clean($var, $default) {
    if (isset($_GET[$var]) {
        return htmlspecialchars(strip_tags($name), ENT_QUOTES);
    }
    return $default;
 }

 $name = fetch_and_clean('name', 'John');
	<?php

	// Bad
	$name = (!empty($_GET['name'])? $_GET['name'] : 'John');

	// Good
	// Some basic sanitization. Make sure to clean further if inserting into database
	$name = (!empty($_GET['name'])? $_GET['name'] : 'John');
	$name = strip_tags($name);
	$name = htmlspecialchars($name, ENT_QUOTES);

	// Better
	// A helper method to fetch and clean at the same time, with a default fallback.
	function fetch_and_clean($var, $default) {
	if (isset($_GET[$var]) {
	return htmlspecialchars(strip_tags($name), ENT_QUOTES);
	}
	return $default;
	}

	$name = fetch_and_clean('name', 'John');