|
|
Posted by Bret Hughes on 09/29/69 11:08
On Tue, 2005-02-15 at 16:22, M. Sokolewicz wrote:
> > Chris.
> that's a different issue.
> There are always at least 2 things you should do with your (expected) input:
> 1 - check if it *exists* (isset)
> 2 - check the validity (input-validation)
>
> for step #2 empty is very commonly used, and also a very useful
> function. However, you should never do #2 without #1, since that again
> raises issues (of security, problems, unexpected input, etc)
>
> Also note that empty($non_existent_var) will always throw an E_NOTICE
> error when the variable in question is not set. isset() is the only
> function/language-construct that can check for the existence of
> variables without throwing an E_NOTICE.
This is not true and explicitly states so in the doc. I had to reread
it to remember why I stopped using it. empty will return true if the
value is one of several things "", "0", 0 to name a few. Since I do not
consider these empty I stick with isset and then test for a valid value
depending on the circumstance.
Personally, I think people piss and moan too much about what I consider
proper coding practices. Input validation is to important to skimp on.
Again it is my opinion.
I have been revisiting some php code that I wrote a couple of years ago
and have been pleasantly surprised at the job I did on input validation.
A similar complaint occurs when installing a new version of or moving
code to another box where register_globals is not on. I pissed and
moaned and wailed for about 10 minutes until I thought about it and can
now see the value in not having unknown variables pollute the namespace.
Of course, since most of my code was already validating the variables, a
few :s/\$\(var\)/\$_GET[\1]/ iterations and I was good to go. Yes it
took some time but I feel better having done it.
I just wish there was a use strict; sort of deal so I would not have to
hunt down logic errors due to mistyping a variable name.
Bret
Navigation:
[Reply to this message]
|