| Subject: | Author has been a prolific... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 3 |
|---|
| Author: | Yakim |
|---|
| Date: | 2014-03-20 21:53:02 |
|---|
| Update: | 2014-03-21 06:58:23 |
|---|
| |
|
|
Yakim rated this package as follows:
| Utility: | Sufficient |
|---|
| Consistency: | Sufficient |
|---|
| Examples: | Bad |
|---|
|
|
 Yakim - 2014-03-20 21:53:02 Author has been a prolific contributor to PHPClasses, so I don't wish to "hurt his feelings" but...
This code exhibits BAD coding practices. Does the site staff not have a responsibility to review/reject submissions which lack attention to input validation? Do we not have a collective responsibility to perform peer review of submitted code and to press for "best practices"?
echo "some static string";
(example of unnecessary string eval)
db->insert($POST["unsanitized_string"]
(example of NOT ON _MY_ WATCH dammit)
echo "<option value='".$val["ID"]."'>".$val["level_name"]."</option>";
( Let's see.. should I use quot, or quotquot, or "quotey dot quotey" )
Yakim - 2014-03-20 22:14:44 - In reply to message 1 from YakimI do want to "soften" my apparent criticism above by pointing out that I respect and appreciate the class author's website. It's been in my bookmarks list for several years.
http://webcodingeasy.com
 Arturs Sosins - 2014-03-21 06:58:23 - In reply to message 2 from YakimHello Yakim
No hard feelings :)
Maybe you are right, but in my defense, I was using prepared queries, which by definition, does not require sanitizing:
"The purpose of prepared statements is to not include data in your SQL statements. Including them in your SQL statements is NOT safe. Always use prepared statements. They are cleaner to use (code easier to read) and not prone to SQL injections."
Maybe I missed something in the code?
|
