PHP confusion in conditional logic, which is a constraint

codeispoetry · June 8, 2020, 4:12pm

<?php
// initialize session
session_start();

// create session variable if form has been submitted
if (isset($_POST['first_name'])) {
    if (!empty($_POST['first_name'])) {
        $_SESSION['first_name'] = htmlentities($_POST['first_name']);
    } else {
        $_SESSION['first_name'] = 'Bashful';
    }
}
?>

While we are restricting condition → if (isset($_POST['first_name'])) { than what could be the point of putting extra constraint of → if (!empty($_POST['first_name'])) {

I was slightly puzzled when I came across this constraint while browsing a certain code.

benanamen · June 8, 2020, 4:45pm

With a proper form, the fields will always be isset so checking for it is pointless. What you need to do is first check the REQUEST METHOD, then TRIM the entire POST array at once and THEN check for empty. IF field is empty and is required, add an error to an error array.

codeispoetry · June 8, 2020, 6:37pm

Thanks, Can you please explain this with an example?

SpacePhoenix · June 9, 2020, 8:57am

If a field is a check-box, if the check-box is unticked then nothing gets sent for that field so in the post array, nothing will exist for that field, so for check-box fields you need an isset to check the status of the check-box

m_hutley · June 9, 2020, 9:39am

Not to mention that the code cannot assume that post fields exist.

Just because your form is properly constructed doesn’t stop anyone from sending an empty POST request to your system.

As for

It’s there to put a default value in if the form was submitted correctly, but has an empty field.

Now, there’s a shorter way of writing it;

if (isset($_POST['first_name'])) {
    if (!empty($_POST['first_name'])) {
        $_SESSION['first_name'] = htmlentities($_POST['first_name']);
    } else {
        $_SESSION['first_name'] = 'Bashful';
    }
}

=>

if(isset($_POST['first_name'])) {
  $_SESSION['first_name'] = htmlentities($_POST['first_name']) ?: "Bashful";
}

(PHP 5.3+)

Fair warning: This will also mean that someone who puts their first name as “0” will be called Bashful, due to the nature of truthy boolean conversion.

codeispoetry · June 9, 2020, 12:45pm

That means even an empty post = Null value is also considered as something is set there and the condition →

if (isset($_POST['first_name'])) {

will be considered as set to be true in terms of boolean logic. Right?

m_hutley · June 9, 2020, 1:42pm

No, an empty post is different.

$_POST will always exist - it is a Superglobal Array.
$_POST['example'] may or may not exist.
IF $_POST['example'] exists, it may have an empty value.

By default, $_POST is an empty array. $_POST = [];
At that point, isset will return false. isempty will throw an error because the key does not exist.
$_POST = ['example' => ''];
This is what you would see if there was a text field:
<input type='text' name='example'>
that was submitted with nothing in the field.
At that point isset will return true. isempty will return true.

benanamen · June 9, 2020, 5:51pm

Any empty space will also be isset. Thats why you need to trim the POST array and then check for empty (or !empty), NOT check isset. (Checkboxs not withstanding)

That is true, that’s when validation comes in. You still dont use isset. You would have an array of expected/allowed fields (not required fields, that is another part). If the expected field is !in_array, then you handle it however you want. This also protects against fields posted that are not allowed.

John_Betong · June 10, 2020, 12:51am

[off-topic]
Just noticed there is no script to prevent zero as a leading numeric:

[/off-topic]

system · November 6, 2020, 1:52am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.