I've seen a lot of people talking about mysql_real_escape_string() vs addslashes() vs addcslashes(). There seems to be a lot of real confusion about what these functions do (even with the php.net manual around), especially when it comes to character sets. [...] So, I've decided to lay it all out in a few charts so there is no confusion about what each function does and how each can help protect against SQL injection attacks.

He ran some tests based on what the function does to see if it helps with certain things like "escapes with single quotes instead of backslash" and "prevents multi-byte attacks". He compares the speed and testability of the functions as well as provides a multi-byte breakdown oh how the mysql_real_escape_string function works with different character sets.

Escaping quotes or other meta characters in SQL can be painful unless you get lucky with your quoting style. [...] Even with PHP's "Heredoc" syntax something will need escaping, but with PHP 5.3's new "Nowdoc" syntax no escaping is needed.

The only difference between HEREDOC and NOWDOC is that the initial keyword (like the first END in this statement: <<<'END' text here END;) that can make worrying about complex quoting rules a thing of the past.

One of my biggest issues with using PHP as the templating engine in View scripts is that the easiest way to echo a variable is the least secure. [...] So, I decided to leverage a post by Mike Naberezny from a while ago about streams. The idea is all his; I just modified it to work with Zend Framework's Zend_View the way I wanted it to.

His method uses a slightly different output format - instead of using a normal echo statement to push out the escaped output, it uses a special syntax using the "@" sign as a shortcut to the call to escape(). He includes the code you'll need to make it work in your ZF install and explain it a bit (including where the real key lies - in stream_popen).

Inspired by this article I started to play around a bit to integrate the Smarty template engine into the Zend Framework. My ambition was to minimize the required code in the controller actions but stay close to the given Zend_View API. I also wanted to integrate the Smarty caching feature. Here is the code I came up with.

He sets up a directory under his Zend library include path for the templates to live in and starts writing code. The first step is a class that's based off the Zend_View_Abstract class to set the initial Smarty variables. He follows this up with serveral methods - __run, assign, and escape before displaying the results with output().

Finally, he gives an example of how to use the class he's created to spit out a Smarty template with all of the data nicely in place.

More information on the Zend Framework can be found at framework.zend.com, and information on Smarty at smarty.php.net]]> Wed, 05 Apr 2006 07:22:43 -0500