Googles PHP performance tips – What about security?

June 25, 2009

Today Travis Biehn has posted a link to the Full Disclosure Mailinglist leading to Googles “PHP performance tips“.

Don’t copy variables for no reason.

Sometimes PHP novices attempt to make their code “cleaner” by copying predefined variables to variables with shorter names. What this actually results in is doubled memory consumption, and therefore, slow scripts. In the following example, imagine if a malicious user had inserted 512KB worth of characters into a textarea field. This would result in 1MB of memory being used!

$description = $_POST[‘description’];
echo $description;

echo $_POST[‘description’];

Complement from me:

echo htmlspecialchars($_POST[‘description’], ENT_QUOTES);



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: