I am maintaining the code from another developer, and I just found this code in the source code if his files:
function update($set, $args)
{
;
if(!empty($args))
{
if(!empty($args['id']))
{
$id = $args['id'];
return update_post_meta($id, '_quizdata', $set);
}
}
return false;
}
As you can see, in line three there is a greek questionmark. This question mark can have any special meaning or can harm the code somehow ?
Is the first time I see something like that. Also, I do not get any error in my error logs, but I don't even know, if this code is executed in order to produce any error.
Kind regards
Nothing, is a simple empty statement
Related
I'm reading Code Complete and there is the statement in it that warns against using a variable with a double purpose, for example:
1) If a variable is a number, it contains error code.
2) If a varibale is array, it contains data.
And that's exactly what I'm doing in my program with the variable $text in the code snippet below:
$text = $editor->getTextForLinking($data_array['idText']);
if (Arr::is_array($text)) {
...
} else {
Log::instance()->add(Log::Error, $text);
$this->response->body("Text can't be retrieved");
}
I have access to the method getTextForLinking() so it can be changed. How can it be changed to exclude the undesirable situation with double purpose?
I don't want to use exceptions like this:
$text = Array();
try {
$text = $editor->getTextForLinking($data_array['idText']);
} catch(SomeException $e) {
Log::instance()->add(Log::Error, $text);
$this->response->body("Text can't be retrieved");
}
I think its clear that if anything returned by getTextForLinking(), that is not an array, should be considered an error (logged) - So I'm not entirely convinced that your example warrants such a change.
With that said it might be an improvement to keep the return signature of the function the same data type (array) regardless of what data you send it. This way it will be consistent (you loose the need for $text = Array();) and you wont have to make special cases depending on if its an error or not.
$results = $editor->getTextForLinking($data_array['idText']);
if (empty($results)) {
Log::instance()->add(Log::Error, $data_array['idText']);
} else {
// Handle results array
}
Update
If you are setting an error message within the function, this violates the single responsibility principle - A function/method should only have one job. As far as the $editor->getTextForLinking() is concerned it will always return an array of text, not deal with the return of an error.
The error message should depend on the context (where the method is used). If at some point an empty array is invalid handle/set the error (message) outside of the function as I have shown above.
Doing it this way allows the $editor to be oblivious of the validity of the returned result and could allow you to reuse the function elsewhere where an empty array is not considered an error.
do not check the return value, check on the parameters of your function instead. In other words, modify your getTextForLinking function wherein you will have a type checking before processing a result
Example pseudocode :
function getTextForLinking($text) {
if $text is array,
process it and return an array containing data
else
return an array without data , or empty array.
}
I have a pretty nasty error I can't get rid of. Here's the function causing the issue:
function get_info_by_WatIAM($WatIAM, $info) {
$users_info = array();
exec("uwdir -v userid={$WatIAM}", $users_info);
foreach ($users_info as $user_info) {
$exploded_info = explode(":", $user_info);
if (isset($exploded_info[1])){
$infoArray[$exploded_info[0]] = $exploded_info[1];
}
}
return $infoArray[$info]; }
Here's what's calling the function:
} elseif ( empty(get_info_by_WatIAM($_POST['ownerId'])) ) { ...
I would really appreciate any suggestion. Thanks very much!
If the code doesn't make sense, here's a further explanation: exec uses a program that stores information on all the users in a school. These include things like faculty, name, userid, etc. The $_POST['ownerId'] is a username -- the idea is that, upon entering a username, all of the user's information is automatically filled in
You do not need empty around function calls, in fact empty only works with variables and not functions (as you see). You only need empty if you want to test a variable that may not be set for thruthiness. It is pointless around a function call, since that function call must exist. Instead simply use:
} else if (!get_info_by_WatIAM($_POST['ownerId'])) { ...
It does the same thing. For an in-depth explanation, read The Definitive Guide To PHP's isset And empty.
empty can only be used on variables, not on expressions (such as the result of calling a function). There's a warning on the documentation page:
Note:
empty() only checks variables as anything else will result in a parse
error. In other words, the following will not work: empty(trim($name)).
Just one of PHP's best-left-alone quirks.
One workaround is to store the result in a variable and call empty on that, although it's clunky. In this specific case, you can also use
if (!get_info_by_WatIAM(...))
...although in general, if (empty($a)) and if(!$a) are not equivalent.
get the value of this
$a = get_info_by_WatIAM($_POST['ownerId'])
then chack
empty($a)
it will work
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
The ultimate clean/secure function
I was informed in another thread that this bit of code was pretty useless:
function getPost($s) {
if (array_key_exists($s, $_POST))
return mysql_real_escape_string(htmlspecialchars($_POST[$s]));
else return false;
}
function getGet($s) {
if (array_key_exists($s, $_GET))
return mysql_real_escape_string(htmlspecialchars($_GET[$s]));
else return false;
}
Can anybody help understand why and how I can make it better please? Links or references are welcome also.
Just trying to always improve :)
Well, it's bad for the same way magic_quotes_gpc is bad. It's magic and will escape everything, whether you want it to or not. Instead, handle the escaping where it's used, and you can change things without any problem. So:
function post($key) {
if(array_key_exists($key, $_POST)) {
return $_POST[$key];
}
return false;
}
And do your escaping where it's needed. Otherwise, things can look strange, and unescaping them will defeat the point. Consider this; I input my last name, O'Hara, in a textbox. You want to echo it back, but you fetch it using getPost. Here's what I get back:
O\'Hara
Did you htmlspecialchars it again? Well, then I get:
O\'ara
or something. This happens to me a lot and it's incredibly annoying - please don't do it.
I wouldn't say useless, just a bit misguided. You should do the escaping immediately before you use it in the context it needs to be escaped for. For example, if you want to send the value back to the browser you might do this:
echo htmlspecialchars($_GET['name']);
But if you want to send it to the database you might do this:
mysql_query(... 'INSERT INTO users VALUES ("'.mysql_real_escape_string($_GET['name']).'")');
With your method you are fixed in what you can do with it. If you do this:
echo getGet('name');
You are going to print out a MySQL escaped string rather than the actual name.
I have CKEditor embedded in my page. I need to prevent plain whitespaces and breaklines that doesn't come with any characters. There must be at least one actual visible character.
The following answer is totally not consistent, sometimes it works fine and sometimes it does nothing, it allows whitespaces:
if(!empty($_POST['rtxt_article']))
{
if (trim(strip_tags($_POST['rtxt_article']))) {
// do something
}
else
{
//ops! please fill in data
}
}
else
{
//ops! please fill in data
}
I also tried this:
$plainText = strip_tags($_POST['rtxt_offer']);
$isNotEmpty = trim($plainText);
if($isNotEmpty)
{
//do something
}
When the above snippet doesn't have effect anymore, i put ! sign and the snippet works again. After a while, the snippet doesn't work until i remove ! and vice versa. Totally inconsistent. This is how i put !:
if(!$isNotEmpty) ...
if (!trim(strip_tags($_POST['rtxt_article']))) ...
Any idea? Any other solution?
Give this a shot. It will first check to see if their is actually input but using the empty() function. With adding the ! to empty() what happens is that the if statement is being asked if $_POST['rtxt_article'] is NOT empty, meaning that there is at least once character in it.
if (!empty($_POST['rtxt_article']) && trim(strip_tags($_POST['rtxt_article']))) {
// do something
}
If for some reason it is still being passed with the new line character, then you could scrub the $_POST var first.
edited:
$var = trim($_POST['rtxt_article']);
if (!empty($var)) {
// do something
}
basically, what i want to know is, for the second parameter in the create_function function, is there anyway to pass a string without a semicolon? or will it not work.
example:
taken from php.net
create_function('$a,$b', 'return "CRCs: " . crc32($a) . " , ".crc32(b);'),
notice that there is a semicolon in the string. is there any possible way someone can enter a function without a semicolon that will still run/evaluate?
With create_function() you're creating an anonymous function. The second parameter is a string that is the code of the function (like any other function you'd write). It doesn't have to end in a semicolon, for example:
$coolfunction = create_function('$thing', 'if ($thing > 0) {return "Yes"; } else { return "no!"; }');
echo $coolfunction(1) . ' and ' . $coolfunction(-1);
Ends in a '}' and prints out: Yes and no!
No it is not possible. PHP is semicolon-sensitive, that you must use it to terminate every statements before right braces. I even tried regular function like this:
function f() {
return 1
}
and it spitted out a syntax error, unlike in JavaScript.
You should always sanitize any user input before using it.
I suggest that you look for the semicolon in the user input, if it is missing, append it.
If the user can enter anything here you still have a problem if he enters an invalid function name or just rubbish.
You can validate with preg_match() (although I'm not an expert on preg so I will let someone else help you out there).
First, why do you need that ? That's a really dirty way to create a function. Hope because you want to make a interface where people can directly create a function (and this will be only for you or it'll be a big security issue). I don't really get how you want to use that.
Anyway, for you question, you don't have to care if it's working or not. I mean, just test if it's working, if not just put by yourself a semicolon. It's just a simply test on a string.