I have question about some behavior I was just debugging, specifically what happens if a variable which is already set is assigned to an undefined value. I just want to check that I'm understanding what happened correctly. If a variable has a value set already, and you try to set it to something undefined, it stays at its old value?
Specifically, I had some PHP code that looked approximately like this - assume that $string is some string of 1's and 2's.
$array = array(1 => 'foo', 2 => 'bar');
for($count=0;$count<len($string);$count++)
{
$newvar = $array[$string[$count]];
if(!empty($newvar))
{
switch($newvar)
{
case 'foo':
// blah blah break;
case 'bar':
// blah blah break;
}
}
}
Now, my code was supposed to set $string to be something like "12212", but an error on my part was sending it something with extra spaces at the end - "12212 ". This caused some aberrant behavior, and I think what happened was this - when $count=5, $string[5] is undefined, so $array[$string[5]] is undefined, and $newvar stays as 2. Thus my if(!empty statement doesn't do its job and case 'bar' happens more times than it should have. Does that all seem like what would happen?
Of course, trimming $string solved my problem, but I want to make sure I understand what was going wrong. Apologies if this is a stupid question - I'm just an amateur here....
Edit: Here's the actual code. $upstr is supposed to be a string of digits.
$len = strlen($upstr);
$cost=0;
$upnames = array(4=>"man", 2=>"raw", 1=>"food", 3=>"fuel",5=>"tech");
for($strloop=0;$strloop<$len; $strloop++)
{
$number = $upstr[$strloop];
if(! empty($number))
{
$name = $upnames[$number];
$cost+= mysql_result($result1,0,$name) +1;
if(mysql_result($result2,0,$name."up")==1)
{
$cost+=100;
}
}
}
What happened when $upstr had some extra spaces at the end was I would see a mysql error, that it couldn't find the column "up" in $result2 . So it was trying to run that block of code in the if() statement with $name being empty or NULL or something. And if I intentionally added 3 or 4 extra spaces, I would see that many mysql errors.
I'm afraid the definition of variable $array is incorrect in your code example, it should read as follows:
$array = array(1 => 'foo', 2 => 'bar');
If you set $newvar to an undefined element of $array (e.g. 3) then $newvar will be set to NULL.
Use array_key_exists($array, $string[$count]) to check if your array has value for your key.
Ok, I've figured out what was causing the behavior I saw. The strings '' and ' ' behave differently under empty(). One of them is considered empty and the other isn't, which was confusing me. Thanks so much for all the help.
Related
I've search different forms but didn't understand how to solve the problem first found here (first link, second link) but its giving me the error in eval. I can't figure it out how to solve in that code in foreach loop.
foreach($_POST as $key => $value) {
if(!strstr($key, 'removeFile')){
//initialize variables using eval
eval("$" . $key . " = '" . sanitize($value) . "';");
}
}
First, the issues I have with your code:
eval is very, very rarely needed, and extremely dangerous, use with caution. I've been developing in PHP for over 10 years, and never really encountered a situation that needed eval. This is no exception. Eval is not required
You're sanitizing the entire $_POST array. That's great, but there are special functions for doing that, like: filter_input_array, array_filter and many, many more... not to mention ready-made, open source projects and frameworks that already contain a solid request validation component.
Always check the return values of functions, which you seem to be doing with strstr, but be weary of functions that return different types (like strstr: it returns false if the needle isn't found, but returns 0 if the needle is found at the start of the haystack string). Your if statement might not work as intended.
You're assuming sanitize($value) values will not contain any single quotes. Why? Because if they do, you'll end up with a syntax error in your evaled string
Be that as it may, you could easily write your code using variable variables and add a simple check not to step on existing variables in scope:
$sanitized = array_filter($_POST, 'sanitize');//call sanitize on all values
foreach ($sanitized as $key => $value)
{
if (!isset($$key) && strstr($key, 'removeFile') === false)
$$key = $value;
}
But really, $_POST values belong together, they are part of the request, and should remain grouped... either in an array, or in an object of some sort. Don't assign each value to its own variable, because pretty soon you'll loose track of what variables are set and which are not. Using an unset variable creates that variable, assigning value null, so what you have now makes for very error-prone code:
//request 1: POST => id=123&foo=bar
foreach ($sanitized as $k => $v)
$$k = $v;
$query = 'SELECT x, y, z FROM tbl WHERE id = ?';//using posted ID as value
$stmt = $db->prepare($query);
$stmt->execute(array($id));
All is well, because $id was set, but never trust the network, don't assume that, just because $_POST is set, all the keys will be set, and their values will be correct:
//request 2: POST => foo=bar&page=2
foreach ($sanitized as $k => $v)
$$k = $v;
$query = 'SELECT x, y, z FROM tbl WHERE id = ?';//using posted ID as value
$stmt = $db->prepare($query);
$stmt->execute(array($id));//id is null
Now we have a problem. This is just one example of how your code might cause issues. Imagine the script grows a bit, and look at this:
//request 3: POST => id=123&foo=bar&page=2
foreach ($sanitized as $k => $v)
$$k = $v;
//$id is 123, $foo is bar and $page = 2
$query = 'SELECT x, y, z FROM tbl WHERE id = ? LIMIT 10';//using posted ID as value
//a lot more code containing this statement:
$page = someFunc();
$log->write('someFunc returned log: '.$page);
//more code
$offset = 10*($page-1);//<-- page is not what we expected it to be
$query .= sprintf(' OFFSET %d', $offset);
$stmt = $db->prepare($query);
$stmt->execute(array($id));
Now this may seem far-fetched, and idiotic, but believe me: all of these things happen, more than I care to know. Adding some code that accidentally overwrites an existing variable that is used further down happens all the time. Especially in procedural code. Don't just blindly unpack an array. Keep that single variable, and use the keys to avoid:
grey hair
sudden, dramatic baldness
loss of sanity
bleeding ulcers
In a work environment: catastrophic loss of data
Sudden loss of job
... because code like this makes unicorns cry, and bronies will hunt you down
As the first answer to the post you linked to, the problem is that when using double quotes PHP thinks your eval() code starts with a variable. As that is not the case you have two options. Use single quotes and remember to escape the single quotes declaring a string in the code or escape the dollar sign.
Bonus note
There exist more elegant solutions to the problem you are trying to solve. The best solution I can think of is using the extract function. This gives to two main benefits.
It works with all associative arrays
You can specify different flags that can help you distinguish the extracted variables apart and avoid variable injection.
One flag you can use is EXTR_PREFIX_ALL. This will prefix all the extracted variables with your own prefix. You would then access the variables with a prefix of 'PREFIX_' like the following:
$array = [
'variable1' => 'foo',
'variable2' => 'bar'
];
extract($array, EXTR_PREFIX_ALL, 'PREFIX_');
$value1 = $PREFIX_variable1; // Equals: foo
$value2 = $PREFIX_variable2; // Equals: bar
A little on code injection
Suppose you have some code:
$login = false;
The $login variable determines if a user is logged in or not.
Then somewhere you use the ´extract´ function with an array of the following without using any flags.
$array = [
'login' => true,
'foo' => 'bar'
];
extract($array);
Now your $login variable would be set to true and the user posting the data would have overwritten the initial setting and gained access to your website without a valid login. Bear in mind this is a over simplified example, but nonetheless valid.
To overcome this you can use the flag EXTR_SKIP or prefix them like I previously showed. The EXTR_SKIP flag will skip the array element if a variable with the same name already is defined. So now your code would not overwrite your $login variable.
extract($array, EXTR_SKIP); // Skip existing variables
// Or
extract($array, EXTR_PREFIX_ALL, 'prefix'); // Prefix them all.
Hope this can guide to the right choice for your needs.
Regards.
I've looked around SO, but can't find an explanation to what is going on in my $_SESSION variables.
#ob_start();
$k=#ob_get_contents();
#ob_end_clean();
#session_start();
unset($s,$m);
$m1 = explode(" ", microtime());
$stime = $m1[1] + $m1[0];
echo $k;
$_SESSION['resendConfirmation']['function'] = 'resend';
$_SESSION['resendConfirmation']['id'] = '8';
print_r($_SESSION);
outputs:
Array ( [resendConfirmation] => 8esend )
Why is it string replacing? I've never had this issue before.
What I want is thus:
Array([resendConfirmation] => Array(
[id] =>8
[function} => resend
)
)
I've never had this happen before, I'm totally confused!
UPDATE
In response to #DanRedux I've changed to two non-existent variable names to take the referencing out of the equation, still the same result...
$_SESSION['resendConfirmation']['tweak'] = 'resend';
$_SESSION['resendConfirmation']['tweak2'] = '8';
Same result :(
Did a sitewide query of resendConfirmation and none were found, but once I change that array name, it all worked, baffled, but fixed...
$_SESSION['reConfirm']['function'] = 'resend';
$_SESSION['reConfirm']['id'] = '8';
print_r($_SESSION);
Since I dont really know what other sorts of shenanigans the code is up to outside of this block you gave us I would say to just try this instead:
$_SESSION['resendConfirmation'] = array('id' => 8, 'function' => 'resend');
If this also fails then there has to be something else going on outside of what you posted. Good luck!
What you think is an multidimensional array really isn't. What really happens is:
What you think is an array is really a string. After that you are trying to access the string as an array. You are trying to access the element id which doesn't exists. PHP always tries to be smarter than it should and just says: OK I'll assume you meant the first index. So basically what happens is:
<?php
$notAnArray = 'somestring';
$notAnArray['id'] = '8';
var_dump($notAnArray); // 8omestring
This is the reason you should always enable error_reporting on your development machine:
error_reporting(E_ALL | E_STRICT);
ini_set("display_errors", 1);
And never suppress errors using #. Well there are some situations where you can use #, but this really isn't one of them.
I tried to find a proper and explanatory title but I couldn't and I will try to explain what I am asking here:
Normally if you don't assign an empty array to a variable, you can start assign values to indexes like this:
$hello["world"] = "Hello World";
...
echo $hello["world"];
but I always encounter such definition:
$hello = array() //assigning an empty array first
$hello["hello"] = "World";
...
echo $hello["hello"];
Why is it used a lot. Is there a performance gain or something with the second one?
Thanks.
Two reasons:
Better readability (you know the array is initialized at this point)
Security - when running on a system with register_globals enabled a user could add e.g. hello[moo]=something to the query string and the array would already be initialized with this. $hello = array(); overwrites this value though since a new array is created.
Initializing your variables is good practice.
Take for example this:
$foo = 'bar';
// 10 lines and 1 year later
$foo['baz'] = 'test';
Congratulations, you now have the string "tar".
This may happen accidentally and introduce needless bugs. It gets even worse with conditional variable creation. It's avoided easily by getting into the good habit of explicitly initializing your variables.
$hello = array();
if(someConditionIsTrue){
$hello["world"] = "Hello World";
}
foreach($hello as $val){ // this will not give you any error or warning.
echo $val;
}
But
if(someConditionIsTrue){
$hello["world"] = "Hello World";
}
foreach($hello as $val){ // this will give you error .
echo $val;
}
If I remember correctly, the first one will produce a warning by PHP if you have error_reporting as E_ALL. You should always use the second method because it explicitly initialises a new array. If you are looking through code and out of nowhere see $hello["hello"] but cannot recall seeing any reference to $hello before, it would be confusing.
The same will happen if you do $hello[] = "World", a warning will be displayed
This is a very very weird bug that happens randomly. So I will try to explain this as best as I can. I'm trying to diminish the code substantially to pinpoint the problem without having to reference a framework, nor deal with 500 lines of code outside of the framework - so I will try and come back and update this question when I do. OK, so here we go.
So basically say I'm taking a string in a function and preg_replace like so:
$table = '/something';
print $table;
$table = preg_replace("#^(/)#",'prefix_',$table);
print $table;
The output will look something like
...
/something - prefix_something
/something - prefix_something
/something - /something
You have an error in you sql query... blah blah somewhere around SELECT * FROM /something
What happens is that after rolling through the code, this simply stops working and the sql errors out. What's more strange is that if I start commenting out code outside the function it then works. I put that code back in, it breaks.
I tried recoding this by substr($var,0,1) and var_dumping the variable. After a few rounds it returns a bool(false) value even though $var is in fact a string. It's very very strange. Has anybody run into this before? Is this a PHP bug? It's looking like it to me.
-- EDIT --
Example:
foreach ( $user as $id => $user ) {
get_data("/table_name","*", "user_id = '$id'");
}
#in the function $_table_ holds "/table_name"
$_table_ = trim($_table_);
$tmp = explode(',', $_table_);
$tables = array();
foreach ($tmp as $c => $n) {
$n = trim($n);
$a = substr($n, 0, 1);
$b = substr($n, 1);
if ($a == false) {
var_dump($n);
$a = substr($n, 0, 1);
var_dump($b);
var_dump($a);
}
if ($a == '/') { etc...
Output:
string(11) "/table_name" string(10) "table_name" bool(false)
If I switch to the original preg_replace functionality, it simply does not preg_replace and the same thing happens "/table_name" is return rather then "prefix_table_name" and this happens randomly. Meaning it will work on the string it broke on if I comment code out outside of the function that is seemingly unrelated.
--- SOLUTION ----
I found out that it has to do with string to array conversion in another function that caused this strange error.
Basically a function was expecting a null or array() value and instead a number was passed. We have notices turned off, so I turned them on and started fixing all the notices and warnings and that's how I found this strange bug. Now exactly what the inner workings are that created the problem is unknown to me. However I can define the symptom as a string assignment problem that would occur at some other place in the code which we caught when it wouldn't reassign the $table variable with the new preg_replace value which is detailed above. Now you know. The function looks something similar to this:
function format_something($one, $two, $three = array()){
if ($three['something'] == 'Y') {
/** etc... */
}
...
format_something('one','two',3);
After a while in a loop this type of conversion started having problems randomly in the code.
substr doesn't always return a string. If it can't find the substring, it returns false.
Return Values
Returns the extracted part of string, or FALSE on failure or an empty string.
You should test for this condition and var_dump the string you are searching to see what it contains in such cases.
Can this be done in 1 line with PHP?
Would be awesome if it could:
$out = array("foo","bar");
echo $out[0];
Something such as:
echo array("foo","bar")[0];
Unfortunately that's not possible. Would it be possible like this?
So I can do this for example in 1 line:
echo array(rand(1,100), rand(1000,2000))[rand(0,1)];
So let's say I have this code:
switch($r){
case 1: $ext = "com"; break;
case 2: $ext = "nl"; break;
case 3: $ext = "co.uk"; break;
case 4: $ext = "de"; break;
case 5: $ext = "fr"; break;
}
That would be much more simplified to do it like this:
$ext = array("com","nl","co.uk","de","fr")[rand(1,5)];
Why not check out the array functions on the PHP site?
Well, if you're picking a random element from the array, you can use array_rand().
$ext = array_rand(array_flip(array("com","nl","co.uk","de","fr")));
echo array_rand(array_flip(array('foo', 'bar')));
array flip takes an array and swaps the keys with the values and vice versa. array_rand pulls a random element from that array.
You can use a shorthand form to keep things on one line and avoid creating an array that will never be used again.
echo rand(0,1) ? rand(1,100) : rand(1000,2000);
Yes, list a PHP language construct that allows the syntax below.
list( $first_list_element ) = array( "foo", ..... );
EDIT:
Still Yes, Missed the echo. Reset will return the first array item, which might not always be index 0, but if you create an array normally it will.
echo reset( array( "foo",... ) );
EDIT AGAIN:
After you updated your question I see that you want something that PHP just can't do well. I personally think it's a syntax design error of the PHP language/interpreter. If you just mean one-line you could do.
$array = array( .... ); echo $array[0];
I think your example may not be the best. The real syntax limitation here is that one can not immediately perform array access on the returned value of a function call, as in,
do_something_with(explode(',', $str)[0]);
And you pretty much can't get around it. Assign to a variable, then access. It's a silly limitation of PHP, but it's there.
You can technically do,
function array_access($array, $i) {
return $array[$i];
}
do_something_with(array_access(explode(',', $str), 0));
But please don't. It's even uglier than an extra variable asignment.
(Given the edit to the question, this no longer a sufficient answer. However, I will leave it up for reference.)
Like #Matchu's answer, this addresses the more general case, ie you have an array value that came from somewhere, be it a function call, an instantiated array, whatever. Since the return value from an arbitrary function is the least specific case, I'll use a call to some_function() in this example.
$first_element = current(array_slice(some_function(), 0, 1));
So you could randomize it with
$random_element = current(array_slice(some_function(), rand(0,1), 1));
but in that case (as in many in php) there is a more specialized function for that; see #animuson's answer.
edited
changed array_shift() call to current() call: this is more efficient, because array_shift() will modify the intermediate array returned by array_slice().
This is being discussed in the internals mailing list right now. You might want to check it: http://marc.info/?l=php-internals&m=127595613412885&w=2
print $a[ array_rand($a = array('com','nl','co.uk','de','fr')) ];