Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Let's say a potential url is something like: http://mysite.com/myphp.php?param=foo
How and when (what diiference) should the $_GET['param'] be checked?
The last one. All the others, except no2. which isn't specific enough, will create a notice and you should code with notices on, it makes life a lot easier.
So would it be fair to say ... in general, always check isset first then check the value?
isset() checks if a variable exists. It the variable does not exist, then there not much else to do (which is why it's always the first part if the "if" condition). So yes, it would be fair to say an isset() should be done first.
if ("Foo".equalsIgnoreCase(request.getParameter("param"))
{
...
}
So, in PHP, I bet you could dispense with the issset checks when you have a string literal you can check against, since it's doesn't really matter if the param is set. You really want to know if it's equal to the literal "foo".
This is probably what I'd do - since I rarely want my scripts to care about the request type:
mpeacock wrote:So, in PHP, I bet you could dispense with the issset checks when you have a string literal you can check against, since it's doesn't really matter if the param is set. You really want to know if it's equal to the literal "foo".
This is probably what I'd do - since I rarely want my scripts to care about the request type: