Opinions and Suggestions (Security issue inside)

[Arianna]

Thanks for bringing those up, NBS. As far as I can see,

1) Well, yeah, but in previous things where I've used this, there isn't any escaping in the first place.
2) Ooops. :/ Might as well add that.
3) Hmm, I don't see why. Assuming the script always uses all of $_POST and $_GET (which is usually does), it needs to secure everything in them.
4) Well, that's a very valid point, only currently, there isn't anything in the script which requires this. I do get that this could be an issue in the future, but for now it's okay. xD

It mostly makes sense, though. I use this approach because I hate having to secure variables from forms before using them, because I inevitably end up forgetting about them. xP

[nobackseat]

Quote:

because I inevitably end up forgetting about them. xP

I understand completely and this is a very common problem.

Which is why I use a database class... :P

Quote:

As for object-oriented-ness, I actually previously recoded the whole script in OOP for my own site. The thing is that people have been working on the current version, so either the edits made to this would need to be scrapped, or it would need to be programmed from scratch. :/

Yeah, I understand. I was just throwing that out there. Something to work towards eventually hopefully.

NBS

[nobackseat]

Sorry to double post, but just adding to my original post...

I have noticed the excessive use of mysql_result. Perhaps it is because that is the only function that one may know, or one copies and pastes from the current script. In either case, it is pretty bad. mysql_result is not the best option in most cases, simply because its operation is resource intensive. In fact its use is only recommended for SELECTing ONE column (from what I've gathered with colleagues).

I highly recommend mysql_fetch_array. Look into it if you are interested.

Last thing, and I think this is a huge issue, is so many people are suppressing errors, well, eveywhere. This is extremely bad practice. Seriously, if you are that paranoid about an error showing, then create an error handler...?

It is bad practice, besides the obvious, because sometimes if you change the code that the suppressed line is dependent on, there is a good chance the interpreter will output a different error (and line number) than the one you were trying to ignore. Then how do you find out what is wrong?

Just my two cents.

NBS

[Arianna]

We're already doing our best to switch to mysql_fetch_array - the problem with this kind of feedback (it's just a minor problem, but still) is that we're working on a really updated version behind the scenes and so it's hard to know what we have and haven't done. :/

Anyway, an error handler does sound like a good idea. I'll look into that soon (or if anyone else on the dev team feels like it, then they can).