2

I dont know much about PHP so forgive my ignorance. I am trying to have a parameter value entered in the Joomla admin area to append a string to my bootstrap container class to change the page from a fixed to a fluid layout.

I am retrieving the value like this...

$conType = $this->params->get('conType','');

and then simply setting it as follows...

class="container<?php echo "$conType"; ?>

However, I was worried (knowing very little about PHP) if this was a security problem since any value could be set as $conType - is that a problem? If so, would this work instead...?

$conType = (int) $this->params->get('conType','0');

if($conType == "1")
{
 $conType = "-fluid";
}
else
{
 $conType = ' ';
}

And then just echo it again. Is that necessary? is there a better way?

Techie
  • 44,706
  • 42
  • 157
  • 243
user2317093
  • 746
  • 4
  • 8
  • 25
  • 1
    It's always better to make sure the data you are using is what you expect. – JimL Sep 03 '13 at 14:56
  • You can also use htmlspeciachars() - read this post for more info: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars – Grant Sep 03 '13 at 15:05

1 Answers1

3

Yes, this would work and is secure.

If $conType can be any parameter, it is important to escape it against XSS by using htmlentities():

echo htmlentities($conType)

The way you did it is even better, although it costs more effort. ;-)

Just remember to use htmlentities in future if you need escaping of many parameters and not just one small customization. And as an advise, please inform yourself about php and security before continuing to develop php applications (if you are planning to). As a web developer (especially as php developer), you really should know about topics like "XSS", "SQL Injection" and "CSRF". :-)

[As an alternative to htmlentities, there is htmlspecialchars, which encodes less characters, see htmlentities() vs. htmlspecialchars() for a comparison]

Community
  • 1
  • 1
Toni
  • 1,593
  • 1
  • 11
  • 21
  • Thank you, that's significantly added to my reading list for the day :-) – user2317093 Sep 03 '13 at 15:23
  • In general you want to use both HTML-escaping (on *all* output variables not explicitly meant to be markup), and input validation (for ensuring correctness more than as a security measure, though it helps there too). – bobince Sep 04 '13 at 10:23