Page 1 of 3
IF no value then Die problem
Posted: Fri Aug 10, 2007 9:04 am
by Wardy7
I have another simple PHP problem that unfortunately has got me stumped.
I have a form that a user submits and if the user does not select a selection from one of the drop down menus I wnat ti to say on the next page "You have not slelected an answer".
The "fuel" box on the form has a value of "0" if the user does not select an answer.
Anyway, I have done the below that I thought should work but unfortunately it does not. Can anyone help please?!
Code: Select all
<?php if ($fuel='0') die("Sorry, but you must enter the cars Fuel type. Please press the back button!");?>
Cheers
Wardy
Posted: Fri Aug 10, 2007 9:07 am
by volka
A single = assigns a value.
== and === are for comparison.
To avoid such problems write the literal on the left side. Since you cannot assign a value to a literal the parser will throw an error if you forget a =
Posted: Fri Aug 10, 2007 9:07 am
by VladSun
Also, try using empty():
Code: Select all
<?php if (empty($_REQUEST['fuel'])) die("Sorry, but you must enter the cars Fuel type. Please press the back button!");?>
Posted: Fri Aug 10, 2007 9:16 am
by onion2k
Never use $_REQUEST. It's a security risk.
Posted: Fri Aug 10, 2007 9:22 am
by VladSun
onion2k wrote:Never use $_REQUEST. It's a security risk.
Yes, you are right.
It was only an example - I have no information what is used to set the value of $fuel.
Posted: Fri Aug 10, 2007 10:08 am
by SidewinderX
Sorry to get off topic: someone can just give me a simple yes or no in a reply to the origional....
Code: Select all
$foo = "0";
$bar = "";
empty($foo);
empty($bar);
In PHP both cases return true?
Posted: Fri Aug 10, 2007 11:05 am
by volka
onion2k wrote:Never use $_REQUEST. It's a security risk.
What's the security risk in using $_REQUEST?
Posted: Fri Aug 10, 2007 11:36 am
by onion2k
volka wrote:onion2k wrote:Never use $_REQUEST. It's a security risk.
What's the security risk in using $_REQUEST?
You're using data from an 'unknown' source, it might be GET, it might be POST. You should explicitly take data only from where you expect it to come from, eg $_GET or $_POST. If the data could come from either you should choose which takes precedence in the source, eg
Code: Select all
$id = (!empty($_POST['id'])) ? $_POST['id'] : $_GET['id'];
I wouldn't leave things that could change with PHP's configuration (such as variable order precedence) down to chance.
Posted: Fri Aug 10, 2007 11:48 am
by volka
But even if you see that as a problem (which in the majority of cases I do not) that's not a security risk per se.
Posted: Fri Aug 10, 2007 12:13 pm
by onion2k
volka wrote:But even if you see that as a problem (which in the majority of cases I do not) that's not a security risk per se.
It is. Imagine you've got a form that POSTs data back to the server. If you're using $_REQUEST and someone adds ?id=1 to the URL then your script will use that rather than the POST'ed version if you order precedence puts GET above POST. That is a security risk.
Posted: Fri Aug 10, 2007 12:16 pm
by RobertGonzalez
SidewinderX wrote:Sorry to get off topic: someone can just give me a simple yes or no in a reply to the origional....
Code: Select all
$foo = "0";
$bar = "";
empty($foo);
empty($bar);
In PHP both cases return true?
From the manual on
empty():
Returns FALSE if var has a non-empty and non-zero value.
The following things are considered to be empty:
"" (an empty string)
0 (0 as an integer)
"0" (0 as a string)
NULL
FALSE
array() (an empty array)
var $var; (a variable declared, but without a value in a class)
Posted: Fri Aug 10, 2007 2:00 pm
by volka
onion2k wrote:volka wrote:But even if you see that as a problem (which in the majority of cases I do not) that's not a security risk per se.
It is. Imagine you've got a form that POSTs data back to the server. If you're using $_REQUEST and someone adds ?id=1 to the URL then your script will use that rather than the POST'ed version if you order precedence puts GET above POST. That is a security risk.
I don't see it. It's both user input. I have to test and check it both the same way. What harm can it do to my application's or server's security?
It may be that I don't
want the user to be able to replace post data by get data. But that's no matter of security.
Posted: Fri Aug 10, 2007 2:10 pm
by Benjamin
You guys are off topic but your both right. Although in and of itself using $_REQUEST may not be a security risk, it can lead to security risks. Notably $_GET data can end up performing actions which should only be done via $_POST data.
Posted: Fri Aug 10, 2007 2:16 pm
by volka
astions wrote:You guys are off topic
yes. And I'm sorry about this. Nevertheless
astions wrote:Although in and of itself using $_REQUEST may not be a security risk, it can lead to security risks. Notably $_GET data can end up performing actions which should only be done via $_POST data.
No. POST data is not a bit more secure than GET data. And neither are cookies. All user input, all not to trust. There are reasons why you might not want to use _REQUEST, but security is not one of them.
Posted: Fri Aug 10, 2007 2:21 pm
by Benjamin
When you use $_GET data to perform actions, such as deleting a record, this is the security risk. You cannot know that the data is coming from the currently logged in user. It could be coming from another website that the currently logged in user is viewing.
Code: Select all
<img src="http://hxrd.com/index.php?action=deleteRecord&recordID=23" height="0" width="0" />
There are many sites extremely vulnerable to this.