Where to talk about style?

Discussion corner for Developers of Serendipity.
Post Reply
francisco
Regular
Posts: 42
Joined: Thu Jul 21, 2005 9:33 pm

Where to talk about style?

Post by francisco »

Where should one provide feedback on code style?
The forum or the list?

Does it make a difference if the comment is on a plugin?

Have been spending time with the code of the static page plugin. Saw some code which I think should be different. Also think that the type of change should be widespread.. not only the plugin.

In the mean time.. while I find the right place.. the comments.

In serendipity_event_staticpage there is code like

Code: Select all

$q = "SELECT *
                FROM {$serendipity['dbPrefix']}staticpages
               WHERE id = " . (int)$id . "
               LIMIT 1";
The id column in the database is an integer. I don't understand why the need to cast the variable $id as an integer. It should be used/carried as an integer all along so why the cast?

In general shouldn't variables be used/carried as the data type they will end up in the database?
Top
wesley
Regular
Posts: 197
Joined: Sun Jul 10, 2005 11:15 am
Contact:
Contact wesley

Post by wesley »

Code style? If it's about the code, it should be either in here or the Plugins.
It's it's about style, it should be in the Themes.

I guess you meant coding style, so you came to the right place.
I make s9y plugins, too.
My s9y blog depends on them. :)
Top
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:
Contact garvinhicking

Post by garvinhicking »

We use that (int) casting to be absolutely sure that only integers get shown there. This is to remove the change of SQL injection attacks where one might be able to force non-integer values in the SQL.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
francisco
Regular
Posts: 42
Joined: Thu Jul 21, 2005 9:33 pm

Post by francisco »

garvinhicking wrote:We use that (int) casting to be absolutely sure that only integers get shown there.
Ok. Understand the idea.
Shouldn't this apply to the code only?
Don't quite understand why integer defaults were casted to integers.. that is within the database itself and, in my opinion, can not be affected by a hacker. Likely doesn't cause any harm.. I was just curious.
Top
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:
Contact garvinhicking

Post by garvinhicking »

I have adapted by coding style to require that (int) casting when dealing with unescaped integers to be safe on the security site, so I might be using it on a couple of places where a hacker might not get to.

Bit it also helps API usage, so that people don't call the API with a string and raise SQL errors...

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
Post Reply

Return to “Development”