If($var) vs. if(isset($var))

Set a Boolean variable in a session :smiley:

I only suggest doing this since I prefer to store the entire POST array in a session so that I can easily handle multiple HTTP requests with the users data for error checking and such.

I know the thread title is about advantages or different variable testing but why not assume the userrname and password are correct, test for an exact match and report back on failure?

Much morle learned colleges have commented , but I feel I should clarify some things that were said.

  1. isset() checks for the EXISTENCE of the variable, regardless of its value.

  2. As StarL pointed out if($var) is risky ( tho I find it useful in controlled situations). ($var) will return TRUE if: $var is any # which is not equal to 0. if $var is BOOLEAN TRUE, if $var is NULL, or if it’s and EMPTY string ( ’ ’ will cause ($var) to be TRUE, for example; but also note that ‘’ is not == to ’ ’ , so trimming your sting before checking is a good idea. Still what kind of password is ’ '?!?!).

  3. Learn about ALL type check functions. PHP doesn’t rely on DECLARED var types so: $a=‘111’; $b=150; $c=$a+$b; $a is a STRING. $b and $c are INTEGERs, however. clever way to make sure text field is an integer: (is_integer($value+0).

  4. All text inputs (this include passwords) are submitted, even if not filled. AND they are all strings.

So the issue here is more of logic than of which function or what syntax.

  1. Confirm that the form was FILLED AND SENT ( god help you if you are using $_GET for a secure info, BTW). It is good practice to do it via isset(name of submit button).
  2. Now you know that the user , at least, pressed submit on the form and did not get to this step via some other nefarious cleverness so (see point 4 above) you dont need to check if your pass and name fields are set.
  3. UNLESS you want to SPECIFY a “this field cannot be empty!” error to the user you dont need to worry about (!$var)
  4. This means that the only condition you need to check ( except maybe for special characters… to prevent SQL injections) is ($var==$correctPass). it woulso be redundant to check the variable type of the pass or name as :
    i) a password check is NOT a math function so it is solely concerned wit the sequence of characters. For this purpose ‘1055’==1055, anyway
    ii) ANYWAY, text fields submit info as strings… so all text fields will type as STRING , even if they are fully numeric

so it boils down to this:

if (isset($_POST['submitButtonName'])){
    //other validation stuff.... 
    if ($theirPass != $rightPass){ $FailEntry="Acess Denied!!!";}
<? if (!$FailEntry) :?>
<? echo "<div>Welcome USER</div>";?>
<? else : ?>
<? echo "<div>FailEntry</div>";?>
<!-- your form HTML--> 
<? endif; ?>

hope that helps.

No, this doesn’t check for an integer at all. Any string, boolean and even null will cause this condition to return true. Actually, this only checks for the (lack of) existence of a fractional part of a number. Moreover, it will result in a fatal error if $value is an array.

As was mentioned earlier they can be arrays as well. And you can never be sure if they have really been submitted until you check it.

I don’t think naming the submit button is necessary at all unless you want to target multiple submit buttons. Checking if a form was sent can be done with checking $_SERVER[‘REQUEST_METHOD’] or even the ugly but simple if($_POST) will do - $_POST is always set in PHP and it’s an empty array for GET requests and also for POST requests without any fields (empty forms).

No, you can’t be sure about how the user got to this step and any malicious cleverness is possible, your previous check doesn’t prove anything and you still need to check if fields are set - unless you are happy with NOTICE errors. The reason we do detailed checks for submitted values is that they all can be spoofed and you can potentially receive any combination of data. That’s why all kinds of checks are necessary like isset(), is_string(), strlen(), etc.

Two things are incorrect in this reasoning - first there’s no need to check for special characters to prevent SQL injections, if you have to do it then there’s an underlying security problem in your application. A properly escaped value, or one passed via a prepared statement, is safe against SQL injections regardless of special characters. However, you may want to check for special characters not to allow some garbage data to get to your database.

Second, ($var==$correctPass) is not enough since $var can be unset so you need to use isset().

If you really need to compare plain text passwords then you should use the === operator. Consider these passwords to be equal if used with ==:

‘000000’ == ‘0’
‘000000’ == ‘00.00’
‘000000’ == ‘-0.0’
‘000000’ == ‘+00.00’
‘12345’ == ‘+000000012345.’

As mentioned earlier, they can be arrays and you never know if someone may misuse your form and send an array in a field that you expect to be a string. Or, the field may not be sent at all, too.


The point I was trying to make was testing on the off-chance for variable validity slows the login process.

Maybe better to assume valid login details and return false with a message.

# set variables
	$uname = 'valid-name'; #array(1,2,23); # 'valid-name';
	$pword = 123456789 ;
	$error = '';

# pass variables and define result
	define('LOGGED_IN', login($uname, $pword, $error) );

# show results
	echo LOGGED_IN ?  'LOGGED_IN' : 'FAILED BECAUSE ' .$error;
	echo '<br />$uname: ', $uname;
	echo '<br />$pword: ', $pword;
	echo '<br />$error: ', $error;

//  useage -  login($uname, $pword, & $msg_by_ref);
//  return - true or false with and 'error message'
function login($uname, $pword, & $msg_by_ref = 'dummy and not used')
  $result = ($uname === 'valid-name')  && (123456789 === $pword);

    if ( ! $result)

      if  (is_array($uname))        $err = 'Its an array()';
      else if (is_string($uname))   $err = 'String does not match';
      else if (is_bool($uname))     $err = 'Its a boolean';
      else if(is_numeric($uname))
        if      ($uname > 0)    $err = 'Its more than Zero';
        else if ($uname < 0)    $err = 'Its less than Zero';
        else                    $err = 'Its ZERO';
      else if (empty($uname))   $err = 'Its empty()';

      throw new Exception($err);

  catch( Exception $e )
     $result      = false; # heading($e->getMessage());
     $msg_by_ref  = $e->getMessage();

  return $result;