PHP noob

system · August 30, 2011, 4:35pm

Which could still be filling up the error log since empty on an unset index still files a silent error… which is why isset should be called first.

Immerse · August 30, 2011, 5:42pm

Empty will in fact allow undefined variables or undefined indexes, and return true (i.e. it’s empty as it doesn’t exist).

Very handy!

system · August 30, 2011, 7:04pm

Check your php.log

Cups · August 31, 2011, 8:28am

I thought isset() was already being called on those vars - but it was checking the ‘submit’ var.

By the way, I thought checking for the existence of a submit button click was an unreliable test of the form being submitted because if the user fills in your form and presses ‘Enter’ the value of the submit button is not transmitted on all browsers (IE?).

Yes, of course without checking isset will be filling up your logfiles - but you really should be running on display_errors = on in a dev environment so that you see these things as you work.

So yes, check if the name is set, then trim it, then see if it is empty if you want.

Which really begs the question, if you are going to do that check then you might as well filter against what you will be claiming will be an acceptable name. If a is acceptable then, yes, trim/empty is a good enough check.


if( 
(isset($_POST['name'] && !empty(trim($_POST['name'])) )
&&  
( isset($_POST['email'] && !empty(trim($_POST['email'])) )
){
// now you can say your two form elements have been 
// submitted and that they both have something inside them
// which is more than a space - but could still be something nasty


}

instead of if (isset($_POST[‘submit’]));

In practice though, many of us use JS to simply not permit the user to submit the form at all if certain minimum conditions have not been met. (not empty, name longer than 3 chars, email at least contains an @).

This is a usability win on the onehand - but given the nature of the web, this is of course dead easy to subvert (turn JS off, for example).

The JS checking has absolutely nothing to do with security.

the182guy · August 31, 2011, 10:02am

Also isset($_POST[‘submit’]) is bad anyway because an IE problem with isset submit.

Cups · August 31, 2011, 10:38am

The point which I omitted to make after my short missal, was that if you have taken the trouble to do some cursory checking on the client using JS and you labelled your form up correctly - in order to detect whether the form was sent - you could simply check for the absence of one of your mandatory fields.


if( isset($_POST) && !isset($_POST['name']) ){

// the form was sent but was subverted somehow
// now fail early and tidily here without wrapping
// your entire logic in an if(){}else{} clause

header('Location: backtotheform.php');
exit();
}

// now do your security filtering ... which may in turn
// end up with you aborting when a filter fails...

Immerse · August 31, 2011, 12:46pm

I don’t have a php.log (I’m on Linux).

I checked my apache error log, there was nothing about any empty() calls on undefined variables/ indexes.

I even checked my syslog, again there was nothing about any empty() calls on undefined variables/ indexes.

Here’s my test script:


<?php
error_reporting(-1);
ini_set('display_errors', 'On');

$myVar = array();

var_dump(empty($myVar['test']));
var_dump(empty($non_existant_variable));
?>

Here’s the output:


boolean: true
boolean: true

rpkamp · August 31, 2011, 12:56pm

I’m running with error_reporting -1 here, and when I execute this script


<?php
var_dump (empty($var1));
if ($var2==2) echo 'Hi!';

I get


boolean true

( ! ) Notice: Undefined variable: var2 in <snip/>\\empty.php on line 3
Call Stack
#	Time	Memory	Function	Location
1	0.0012	368312	{main}( )	..\\empty.php:0

So, empty does not an give a notice, error, whatever.

As for the log


[Wed Aug 31 14:52:48 2011] [error] [client <snip/>] PHP Notice:  Undefined variable: var2 in <snip/>\\\\empty.php on line 3
[Wed Aug 31 14:52:48 2011] [error] [client <snip/>] PHP Stack trace:
[Wed Aug 31 14:52:48 2011] [error] [client <snip/>] PHP   1. {main}() <snip/>\\\\empty.php:

Nothing about the empty call in there either.

system · August 31, 2011, 3:34pm

Or bots that don’t give a flying fig what’s actually on your HTML page for code, and just use a vague facsimile of your form to try and mass-submit.

… which is where a LOT of forms fail miserably.

dxm31 · August 31, 2011, 11:17pm

Everthing is now working thanks again everyone.

I have one more issue I would like to get worked out. I have never joined two tables and am not sure how I would make this work. I have two tables in mysql one named “log” and the other “admin_log”.“Log” has 5 columns (name, pin, adults, kids, time_in) and “admin_log” has 6 columns (name, pin, adults, kids, time_in, time_out). When a user signs in how can I make it update both tables with only (name, pin, adults, kids, time_in) being affected in admin_log and then time_out only when the user signs out. I want all the data backed up in this admin log so we can go back and view all records at the end of the day. And the way I have it set up now is to delete the row in “log” when a user clocks out. So I never have two names in the database at the same time. Any ideas or an easier way to do this will be greatly appreciated.