Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hello,

 

This chapter contains this tip: "One thing most beginner developers don’t realize is that it’s possible—in fact, quite easy—for a hacker to submit data to your PHP script without using your intended HTML form. For this reason, it’s important that you validate the existence of expected variables (i.e., that
they are set), their type, and their values."

 

I take it that the example presented in Script 6.7 demonstrated how to validate the fields? So that there would be no need to use the function isset in this particular case for example?

 

Than you.
 

Link to post
Share on other sites
  • 3 years later...
On 3/31/2017 at 11:52 AM, Larry said:

Good question! No, I would actually use isset() on all the POST variables before using empty() or doing other checks. Just a bit safer that way (well, it avoids errors). 

This is a little confusing for me.  Are you saying that I should be using the following when validating the passwords for example?

// Validate the password:
if isset((empty($_POST['password']))) {
	print '<p class="error">Please enter your password.</p>';
	$okay = FALSE;
}

// Check the two passwords for equality:
if isset(($_POST['password'] != $_POST['confirm'])) {
	print '<p class="error">Your confirmed password does not match the original password.</p>';
	$okay = FALSE;
}

 

Link to post
Share on other sites

Thanks for the clarification. I may have overstated, or suggested using isset() too bluntly. It really depends upon the situation and how overly careful you may want to be. And what level of error reporting you have in place! If I recall correctly, empty() doesn't throw a warning if a variable isn't set, but I'd test that first (i.e., your first example is probably fine but maybe isset() isn't necessary). 

You could/should do isset() on $_POST['confirm'] before referencing it, but you can't do isset() on a condition, as you have in the second example. 

Let me know if anything is still unclear!

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...