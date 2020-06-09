PHP confusion in conditional logic, which is a constraint

<?php
// initialize session
session_start();

// create session variable if form has been submitted
if (isset($_POST['first_name'])) {
    if (!empty($_POST['first_name'])) {
        $_SESSION['first_name'] = htmlentities($_POST['first_name']);
    } else {
        $_SESSION['first_name'] = 'Bashful';
    }
}
?>

While we are restricting condition → if (isset($_POST['first_name'])) { than what could be the point of putting extra constraint of → if (!empty($_POST['first_name'])) {

I was slightly puzzled when I came across this constraint while browsing a certain code.

With a proper form, the fields will always be isset so checking for it is pointless. What you need to do is first check the REQUEST METHOD, then TRIM the entire POST array at once and THEN check for empty. IF field is empty and is required, add an error to an error array.

Thanks, Can you please explain this with an example?

If a field is a check-box, if the check-box is unticked then nothing gets sent for that field so in the post array, nothing will exist for that field, so for check-box fields you need an isset to check the status of the check-box

Not to mention that the code cannot assume that post fields exist.

Just because your form is properly constructed doesn’t stop anyone from sending an empty POST request to your system.

As for

It’s there to put a default value in if the form was submitted correctly, but has an empty field.

Now, there’s a shorter way of writing it;

if (isset($_POST['first_name'])) {
    if (!empty($_POST['first_name'])) {
        $_SESSION['first_name'] = htmlentities($_POST['first_name']);
    } else {
        $_SESSION['first_name'] = 'Bashful';
    }
}

=>

if(isset($_POST['first_name'])) {
  $_SESSION['first_name'] = htmlentities($_POST['first_name']) ?: "Bashful";
}

(PHP 5.3+)

Fair warning: This will also mean that someone who puts their first name as “0” will be called Bashful, due to the nature of truthy boolean conversion.