mica123 0 Posted March 27, 2017 Report Share Posted March 27, 2017 Hello, This chapter contains this tip: "One thing most beginner developers don’t realize is that it’s possible—in fact, quite easy—for a hacker to submit data to your PHP script without using your intended HTML form. For this reason, it’s important that you validate the existence of expected variables (i.e., thatthey are set), their type, and their values." I take it that the example presented in Script 6.7 demonstrated how to validate the fields? So that there would be no need to use the function isset in this particular case for example? Than you. Quote Link to post Share on other sites
mica123 0 Posted March 27, 2017 Author Report Share Posted March 27, 2017 sorry, I meant: no need to use the function isset here except for the terms checkbox. Thank you. Quote Link to post Share on other sites
Larry 428 Posted March 31, 2017 Report Share Posted March 31, 2017 Good question! No, I would actually use isset() on all the POST variables before using empty() or doing other checks. Just a bit safer that way (well, it avoids errors). Quote Link to post Share on other sites
nootkan 0 Posted September 22, 2020 Report Share Posted September 22, 2020 On 3/31/2017 at 11:52 AM, Larry said: Good question! No, I would actually use isset() on all the POST variables before using empty() or doing other checks. Just a bit safer that way (well, it avoids errors). This is a little confusing for me. Are you saying that I should be using the following when validating the passwords for example? // Validate the password: if isset((empty($_POST['password']))) { print '<p class="error">Please enter your password.</p>'; $okay = FALSE; } // Check the two passwords for equality: if isset(($_POST['password'] != $_POST['confirm'])) { print '<p class="error">Your confirmed password does not match the original password.</p>'; $okay = FALSE; } Quote Link to post Share on other sites
Larry 428 Posted September 28, 2020 Report Share Posted September 28, 2020 Thanks for the clarification. I may have overstated, or suggested using isset() too bluntly. It really depends upon the situation and how overly careful you may want to be. And what level of error reporting you have in place! If I recall correctly, empty() doesn't throw a warning if a variable isn't set, but I'd test that first (i.e., your first example is probably fine but maybe isset() isn't necessary). You could/should do isset() on $_POST['confirm'] before referencing it, but you can't do isset() on a condition, as you have in the second example. Let me know if anything is still unclear! Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.