mica123 Posted March 27, 2017 Share Posted March 27, 2017 Hello, This chapter contains this tip: "One thing most beginner developers don’t realize is that it’s possible—in fact, quite easy—for a hacker to submit data to your PHP script without using your intended HTML form. For this reason, it’s important that you validate the existence of expected variables (i.e., thatthey are set), their type, and their values." I take it that the example presented in Script 6.7 demonstrated how to validate the fields? So that there would be no need to use the function isset in this particular case for example? Than you. Link to comment Share on other sites More sharing options...
mica123 Posted March 27, 2017 Author Share Posted March 27, 2017 sorry, I meant: no need to use the function isset here except for the terms checkbox. Thank you. Link to comment Share on other sites More sharing options...
Larry Posted March 31, 2017 Share Posted March 31, 2017 Good question! No, I would actually use isset() on all the POST variables before using empty() or doing other checks. Just a bit safer that way (well, it avoids errors). Link to comment Share on other sites More sharing options...
nootkan Posted September 22, 2020 Share Posted September 22, 2020 On 3/31/2017 at 11:52 AM, Larry said: Good question! No, I would actually use isset() on all the POST variables before using empty() or doing other checks. Just a bit safer that way (well, it avoids errors). This is a little confusing for me. Are you saying that I should be using the following when validating the passwords for example? // Validate the password: if isset((empty($_POST['password']))) { print '<p class="error">Please enter your password.</p>'; $okay = FALSE; } // Check the two passwords for equality: if isset(($_POST['password'] != $_POST['confirm'])) { print '<p class="error">Your confirmed password does not match the original password.</p>'; $okay = FALSE; } Link to comment Share on other sites More sharing options...
Larry Posted September 28, 2020 Share Posted September 28, 2020 Thanks for the clarification. I may have overstated, or suggested using isset() too bluntly. It really depends upon the situation and how overly careful you may want to be. And what level of error reporting you have in place! If I recall correctly, empty() doesn't throw a warning if a variable isn't set, but I'd test that first (i.e., your first example is probably fine but maybe isset() isn't necessary). You could/should do isset() on $_POST['confirm'] before referencing it, but you can't do isset() on a condition, as you have in the second example. Let me know if anything is still unclear! Link to comment Share on other sites More sharing options...
Recommended Posts