Page 1 of 1

test question for PHP programmers

Posted: Mon Jul 16, 2007 8:26 pm
by mayafishing
Hi everyone, I got this question when applying for a PHP programmer position.


Question:

Check out the following code and make suggestions on how to improve it based on concerns from Security, Compatibility and Efficiency:

<?
echo("<p>The characters you have input are: " .$_GET['q'] . ".</p>");
?>


Anyone up to the challenge?

Posted: Mon Jul 16, 2007 8:34 pm
by Chalks
Well, using $_GET puts the data in the address bar, so... probably not too safe for passwords and such. As for effeciency, I generally assign a $_GET or $_POST variable to a different variable so that I don't keep having to type the whole long thing. Also I'm not sure, but I'm guessing that every time you use the $_GET key, it has to go and pull that variable again (maybe not... I don't know, verification please?), basically, I treat it like a function that I only want to call once, not 50 times. Also also, I'm not sure if this is an issue or not (yes, I'm new to php), but if I typed "<? code ?>", I would feel bad for not typing the php in there. :(

Posted: Mon Jul 16, 2007 10:26 pm
by GuitarheadCA
I would surround the value with the htmlspecialchars() function. This would prevent any cross-site scripting. Thus if a user typed in any tags or Javascript, it would not be executed, but rather it would be displayed.

Posted: Mon Jul 16, 2007 11:06 pm
by feyd
Test answer: We won't do your homework.

We talk about your question quite often. XSS is a starting point.