isset($variable) before use this $variable?

newbieewwa

Hi,
Do you think I should isset($variable) before I can use it?

For example:

<? if(isset($POST['username'])){ ?>
<input class="form" type='text' maxlength='20' name='username' value="<? echo $POST['username']; ?>" />

or simply
<input class="form" type='text' maxlength='20' name='username' value="<? echo $_POST['username']; ?>" />

(This one will get an error if the error_report is on:undefined variable)

I wonder what is the benifit to check if the variable is set before use it? or just turn the error report off?

Any answer is highly appreciated!

drew010

you can, but it may get tedious after a few variables. the only time i would really use it is if you are going to make an important calculation or use the variable for some other function of the script where if it doesnt exist you will get undesirable results. with the case of that for, i would just do
<input class="form" type='text' maxlength='20' name='username' value="<? echo @$_POST['username']; ?>" />
putting the @ in front will just ignore any errors if there are any and that field value will just be blank.

laserlight

Do you think I should isset($variable) before I can use it?

If $variable is an incoming variable, definitely.
In fact, you should do more than just use isset() or empty(), but also validate it with the ctype functions, is functions, or regex.
If the variable is declared within your own script, then it depends.
Generally your script should be well structured enough such that you know when a variable exists, and when it doesnt.

I wonder what is the benifit to check if the variable is set before use it?

The use of the $_* superglobal arrays with isset() or empty() helps to avoid variable poisoning.
Validation helps to avoid malicious code injection and SQL injection, or plain rubbish data.

or just turn the error report off?

Keep error_reporting set to E_ALL and display_errors to On during development.
For a production server, error_reporting should be set to some desirable level (E_ALL or E_ALL&~E_NOTICE perhaps), while display_errors should be Off and error logging be used instead.

newbieewwa

Thanks for the reply!

The use of the $_* superglobal arrays with isset() or empty() helps to avoid variable poisoning.

I wonder how the variable poisoning happen? how the isset() and empty() can avoid varaible poisoning?

Thanks!

laserlight

I wonder how the variable poisoning happen?

PHP does not require variable initialisation, so you can pretty much use a variable straightaway, without having to explicitly set a value.
Variable poisoning occurs when the variable is set to an unexpected value.
This may allow an attacker to circumvent security measures, force execution of arbitrary commands etc, depending on how serious the problem is.

With register_globals set to On, this is more likely to happen, since a user might be more easily able to take advantage of sloppy coding that doesnt validate incoming variables, or uses variables without initialising them.

Using isset() or empty() with incoming variables is part of initialising them.
You confirm that the incoming variable exists, after which you can safely use it...
Or not so safely, if you do not perform further validation and/or type-casting.
If the variable does not exist, or is empty, then you can set some default value, or report/log an error to the user/administrator.

newbieewwa

Thanks for the explanation!
One thing I still confuse is, even I use the isset() , they still can put some poison script into the html form or through the query string?
Thanks again!

laserlight

even I use the isset() , they still can put some poison script into the html form or through the query string?

Yes, you need to perform further validation, type-casting, and/or transformation of the data into a safe form.

For example, you could use [man]htmlspecialchars/man before displaying user-submitted text.
You could check that a non-negative integer submitted really is that using [man]ctype_digit/man.
You could confirm that a string is numeric is [man]is_numeric/man.
And you can even user regular expressions to validate more complicated expressions.

newbieewwa

Thanks for the explanations! It really helps me a lot!