questions about comparisions in the PHP code base (Technics)

by danielb987, Monday, February 05, 2018, 15:57 (110 days ago) @ Auge

Hello

As second, i found many occurences of comparisions in a if-else-manner which are IMHO better readable in a ternary operation.

 
// I found as an example:
if (isset($_REQUEST['action'])) $action = $_REQUEST['action'];
else $action = 'main';
 
// IMHO better
$action = (isset($_REQUEST['action'])) ? $_REQUEST['action'] : 'main';
 

The ternary operator is in use at many places but because of the development over (around) 10 years, the notation of such checks is very non-uniform. Is it worth the effort to to comb through the scripts to replace the "old" with the "new" notation only for developers better readability of the scripts and a few hundred or thousand bytes less code?

The phpBB forum has a method request_var and the rest of the code base is not allowed to use $_REQUEST directly! I strongly recommend you to use the same principle. You don't need all the features that the phpBB version of "request_var" has, but two important things is that it forces you to have a default value (so you don't need to check that in every place) and it checks the type.

The reason is security. Using $_REQUEST directy may results in bugs and those bugs is probably related to security. (If you handle user input badly you get a security hole).

Once you have this method (or something like it) in place, you can simply search the code base for $_REQUEST and replace all of them. Yes, it's a lot of work, but it will make the code more safe.

If you implement "request_var", there is two things you need:
* Force to have a default value so that the caller doesn't have to check the value.
* Check if the default value is an integer or a float. If that is the case, ensure that the value is an integer or a float, in order to protect from for example sql injection.

Regards,
Daniel


Complete thread:

 RSS Feed of thread

powered by my little forum