I have this piece of code
redirect_loc(index.php);
And the definition for this function is somewhere in a functions file.
function redirect_loc($location=NULL)
{
if($location!=NULL)
{
header("Location:$location");
exit;
}
}
When I pass "index.php" (note the quotes around to specify as a string) it works, however passing index.php gives error The requested URL /indexphp was not found on this server.
Why doesn't this work when it's not passed as a string ?
When you write:
redirect_to(index.php);
This is taking index as a constant and php as another constant and concatenating them using the . concatenation operator.
It is looking for a constant named index (and again for one named php) and, not having found a constant with that name, uses the value "index" (or "php") as a string literal.
This is not recommended practice. If you switch on error logging you will see that it is issuing a notice like "No constant defined index, assuming string value instead".
The . acts as concatenation operator . Did you see what the name was of the file it couldn't find? No . ... It joined the two "strings" (index and php) together - it thought that's what you wanted.
Related
I am using a library, XCRUD, which takes a string argument and is expecting a variable interpolation pattern. Here is how it is used in the documentation, which works fine.
$xcrud->column_pattern('username','My name is {value}');
I want to use this variable as a key to an array, but I can't figure out what syntax is required to access it.
I have tried the following:
$xcrud->column_pattern('PlanNo', $myArray['{value}']);
$xcrud->column_pattern('PlanNo', $myArray[eval('{value}')]);
$xcrud->column_pattern('PlanNo', $myArray[${value}]);
How is it that the function in the library I'm calling can access the variable through {}? Maybe it's unreasonable for me to expect it will exist in the current scope, and it just passes that string somewhere down the line.
Thanks for your help. :)
Try this
$xcrud->column_pattern('PlanNo', $myArray[eval("(" + value + ")")]);
I have been looking for an error in my code since an hour. This was the error:
Writing:
if(isset(($_POST['to'])))
instead of
if(isset($_POST['to']))
I don't get why is this extra pair of brackets causing an Internal Server Error.
I don't think putting brackets around a variable never changes its value. I mean,
$a = $b;
$c = ($b);
$a==$c; //True
I am curious as to know why is it an error?
Thank you.
EDIT:
The above error was occurring for normal variable also.
This is because isset is not a function but a language construct; as such, its definition can be found in the language parser.
T_ISSET '(' isset_variables ')' { $$ = $3; }
It only expects one pair of braces; passing another pair will cause a parse error.
Im pretty sure it has something to do with the fact that isset can not take a function in parameter. You have to pass it a value. Your extra pair of parenthesis may be evaluated as a 'function' or something that need to be evaluated.
Normally, when you try to pass a function to isset, you get this error :
Can't use method return value in write context
isset:
Warning
isset() only works with variables as passing anything else will result in a parse error. For checking if constants are set use the defined() function.
Information can be passed to functions through arguments. An argument is just like a variable.
Arguments are specified after the function name, inside the parentheses. You can add as many arguments as you want, just seperate them with a comma.
The following example has a function with one argument ($fname). When the familyName() function is called, we also pass along a name (e.g. Jani), and the name is used inside the function, which outputs several different first names, but an equal last name:
<?php
function familyName($fname)
{
echo "$fname Refsnes.<br>";
}
familyName("Jani");
familyName("Hege");
familyName("Stale");
familyName("Kai Jim");
familyName("Borge");
?>
I knocked to a phenomenon in an existing php source,
with field access without apostrophe like this: $_GET[test].
I got unsure, also don't know, that this is a possible way,
so I wrote a short example for testing:
echo "Array Test, fields without apostrophe, like \$_GET[fieldname]<BR><BR>";
$a = array();
$a['test'] = "ArrayValue";
echo "case 1 -> \$a['test']: " . $a['test'] . "<BR>";
echo "case 2 -> \$a[\"test\"]: " . $a["test"] . "<BR>";
echo "case 3 -> \$a[test]: " . $a[test] . "<BR>";
And it works, every result got the value (ArrayValue).
I prefer the access method like case 2.
Is case 3 a normal, allowed coding style in php?
What happens here, is that PHP sees a constant called test. If the constant is defined, the value is returned, it isn't defined, PHP falls back to the string "test". For example:
$array = array("A" => "Foo", "B" => "Bar", "C" => "Baz")
define("B", "C");
echo $array[A]; // The constant "A" is undefined,
// so PHP falls back to the string "A",
// which has the value "Foo".
echo $array["B"]; // The result is "Bar".
echo $array[B]; // The value of constant "B" is the string "C".
// The result is "Baz".
It's for backwards compatibility and you should never use it. If you'll turn on notices, you'll see that PHP complains about it.
If you don't put the key into quotes, it will be handled as an undefined constant (assuming it is not defined anywhere), which may work for now, but can fail in future PHP versions. Therefor it is just wrong and the PHP documentation states this variant also as wrong. Check out 'Arrays do's and don'ts'.
By the way: If you put the key into double quotes, it renders variables inside to the key-name.
Using array key names without quotes is a legacy feature in PHP. It was originally the way to do it, but it is no longer recommended and is only still supported for backward compatibility. It will throw a warning message if you have strict mode enabled.
The reason it works is that it sees the key name in this form as a constant. When PHP sees an unknown constant, it defaults to the name of the constant as the value, hence it works as a string replacement.
It would break if you had define() elsewhere in your program that set the value of that constant. It also doesn't work if your key name contains spaces, starts with a digit, or is an invalid constant name for any other reason.
For these reasons, it is not recommended to use this method.
But most of all, the PHP developers have stated publicly that it is not good practice, which may well mean that future PHP versions remove the ability to write code like this.
I'm currently programming a website (in PHP4). I plan to save values, which do not change during runtime, in constants. Those are for example the version number of login-data for the database.
Question 1: are there any (security relevant) problems that can arise from saving data in constants?
At the moment I do the following to define and call the constant:
define("VERSION", "1.0");
echo "Current version: ".VERSION."."; // Result: "Current version: 1.0."
There is one thing that annoys me: In case a constant is not defined, the "wrong" variable name is returned instead of e.g. NULL.
define("VERSION", "1.0");
echo "Current version: ".VERSIONXXX."."; // Result: "Current version: VERSIONXXX."
One solution I found to get an error message and the return value "NULL" when I accidently entered a wrong constant name is using the function constant():
define("VERSION", "1.0");
echo "Current version: ".constant("VERSIONXXX")."."; // Result: "Current version: ."
Question 2: Can I prevent in a different way, that PHP returns the name of the non-existing variable?
Question 3: Should the value of a constant in PHP always be returned using the function constant()?
If you attempt to use a constant that does not exist, PHP automagically assumes it is a string instead, which is why you see VERSIONXXX.
IIRC it throws a warning if you're error reporting is at the appropriate level. The best solution here is to ensure your code utilizes the proper constant names.
If you know the name of the constant, it's easiest/best to use it directly. echo MY_CONSTANT
If you don't know the name of the constant (e.g. it's name is in a variable), use constant():
$name = 'MY_CONSTANT';
echo constant($name);
In reverse Order:
Question 3: No
Question 2: Not really, but you can make adjustments.
because of (Question 1:) error_reporting. You PHP webserver is configured hide some errors. If you add
error_reporting(E_ALL);
to your scripts head, you will get a
Use of undefined constant MY_CONST - assumed 'MY_CONST'
Error. Unfortunately it's a problem coming out of PHP's long history, that constants can be interpreted as strings.
If you can not be shure a constant was set in the first place you can use defined
if(defined('MY_CONSTANT') {
//do something
}
But my personal opinion there shouldn't be many cases to need this, since the word constant alone implies a garanteed presence. The only exception I can think of is the typical header test.
if(!defined('MY_APP_IS_PRESENT')) {
die('You can not call this file on its own, please use index.php.');
}
And one last tipp: Go and make yourself a errorhandler function, maybe even with firephp?
Well, you could always use defined function to make sure the constant exists. Combined with a ternary statement, you could simply echo an empty string, something like:
echo defined( VERSION ) ? VERSION : "";
Not the best answer, but workable?
PHP manual for defined() is at http://php.net/manual/en/function.defined.php
In PHP if I define a constant like this:
define('FOO', true);
if(FOO) do_something();
The method do_something gets executed as expected.
But if I don't define the BOO constant below:
if(BOO) do_something();
Then do_something also gets executed. What's going on here?
// BOO has not been defined
if(BOO) do_something();
BOO will be coerced into the string BOO, which is not empty, so it is truthy.
This is why some people who don't know better access an array member with $something[a].
You should code with error_reporting(E_ALL) which will then give you...
Notice: Use of undefined constant HELLO - assumed 'HELLO' in /t.php on line 5
You can see if it is defined with defined(). A lot of people use the following line so a PHP file accessed outside of its environment won't run...
<?php defined('APP') OR die('No direct access');
This exploits short circuit evaluation - if the left hand side is true, then it doesn't need to run the right hand side.
If you enable error logging, you'll see an error like the following:
PHP Notice: Use of undefined constant BOO - assumed 'BOO' in file at line N
What's happening is that PHP is just arbitrarily assuming that you meant to use 'BOO' and just forgot the quotes. And since strings other than '' and '0' are considered "true", the condition passes.
If it's not the existance of the constant you want to test, but if you want to test the value of the constant you defined, this might be a better way: if(BOO === true) or if(BOO === false)
if($FOO) do_something();
Just using FOO takes it as a value rather than the variable you defined. Better to use PHP's defined.
PHP is dynamically typed. You can achieve what you're trying to do with a function such as this:
function consttrue($const) {
return !defined($const) ? false : constant($const);
}
PHP will automatically make the guess that you meant the string format, which a string will return true.
However you should use the defined method:
bool defined ( string $name )
So it would be:
if(defined('BOO')) {\\code }
Another option is to use php's constant() function, as in:
if (constant('BOO')) doSomething();
Remember to enclose the constant's name in quotes.
Here is a PHP replit demonstrating the examples below.
Ap per the php docs, if the constant is defined, its value is returned; otherwise, null is returned.
Since null is falsey, this will behave as expected.
This can be used in cases where you need to know if something is explicitly defined as true (or at lease a truthy value) vs either not defined, or defined with a falsey value. This works particularly well when having a variable defined is the exception, or having it undefined could be a security risk.
if (constant('IS_DEV')) {
// *Remember to enclose the constant's name in quotes.*
// do stuff that should only happen in a dev environment
// By Default, if it didn't get defined it is, as though, 'false'
}
Using constant() when checking against variables is a good practice to mitigate against security risks in certain situations. For example, printing out php info only if a certain constant is (defined and) TRUE.
As your question shows, PHP's string conversion would expose details if somehow the constant did not get defined.
Alternately, you could:
if (defined('IS_DEV') && (IS_DEV)) {
// *Remember to enclose the constant's name in quotes for the FIRST operator.*
// do stuff that should only happen in a dev environment
}
Another method that would work is to use === or !==, which tests exact equality (including type), without performing typecast a conversion.
if (IS_DEV === true)) {
// do stuff that should only happen in a dev environment
}