On Tue, 2005-02-15 at 16:22, M. Sokolewicz wrote: > > Chris. > that's a different issue. > There are always at least 2 things you should do with your (expected) input: > 1 - check if it *exists* (isset) > 2 - check the validity (input-validation) > > for step #2 empty is very commonly used, and also a very useful > function. However, you should never do #2 without #1, since that again > raises issues (of security, problems, unexpected input, etc) > > Also note that empty($non_existent_var) will always throw an E_NOTICE > error when the variable in question is not set. isset() is the only > function/language-construct that can check for the existence of > variables without throwing an E_NOTICE.
This is not true and explicitly states so in the doc. I had to reread it to remember why I stopped using it. empty will return true if the value is one of several things "", "0", 0 to name a few. Since I do not consider these empty I stick with isset and then test for a valid value depending on the circumstance. Personally, I think people piss and moan too much about what I consider proper coding practices. Input validation is to important to skimp on. Again it is my opinion. I have been revisiting some php code that I wrote a couple of years ago and have been pleasantly surprised at the job I did on input validation. A similar complaint occurs when installing a new version of or moving code to another box where register_globals is not on. I pissed and moaned and wailed for about 10 minutes until I thought about it and can now see the value in not having unknown variables pollute the namespace. Of course, since most of my code was already validating the variables, a few :s/\$\(var\)/\$_GET[\1]/ iterations and I was good to go. Yes it took some time but I feel better having done it. I just wish there was a use strict; sort of deal so I would not have to hunt down logic errors due to mistyping a variable name. Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
