[PHP] More On: Good Practice: Variables, Error Reporting and Security

2002-10-05 Thread Adam Royle 

I very much appreciate the suggestions made by the people on this list, 
although for me, when developing, the less typing I have to do, the 
less errors I am bound to come across, and therefore the less debugging 
I must do. (Now, doesn't this seem sensible?)

Anyway, I have developed a function and incorporated Maxim's code 
(thankyou) to make importing variables (into global scope) easier (with 
register_globals turned off).

I have it sitting in my lib.php which contains all common functions 
(database functions, etc) that I use with my scripts and is included on 
every page I write.

To use my function, simply write:

importVars($_GET, 'var1,var2,var3'); // this will get var1, var2 and 
var3 from the querystring
importVars($_SESSION); // this will import all session information

This was tested with error_reporting set to E_ALL. Often in my code I 
will do something like this.

if ($flag){
// do certain code relating to $flag
}

If $flag has not been initialized, this check will produce a NOTICE 
error, which appears if you are using E_ALL. So, my function will take 
all the variables you pass to it (through the comma-delimited string) 
and either import the variables (if it exists) or create an empty 
variable (zero-length string). This way you can do the check. I know 
some people will say, you could just use if (isset($flag)), but I like 
take advantage of PHP's automatic type conversion.

Another feature of my function is if you don't supply a string to vars 
to import, it will bring in everything from that array. This lets 
people import all the variables they want, and they don't care about 
security, or are protecting it through other means (extensive var 
checks) etc.

ie.importVars($_GET);

So I hope this stuff helps some people out there.

Also, can anyone see any problems with my function? (Performance-wise 
or security-wise).

Adam


/*
  Credit given to: Maxim Maletsky [EMAIL PROTECTED]
  Alter variables for the versions prior to 4.1.0
  NOTE: $_REQUEST global variable is NOT supported.
  */
if (strnatcasecmp('4.1.0', PHP_VERSION) = 0) {
foreach(Array(
'_GET'  = 'HTTP_GET_VARS',
'_POST' = 'HTTP_POST_VARS',
'_COOKIE'   = 'HTTP_COOKIE_VARS',
'_SESSION'  = 'HTTP_SESSION_VARS',
'_SERVER'   = 'HTTP_SERVER_VARS',
'_ENV'  = 'HTTP_ENV_VARS',
'_FILES'= 'HTTP_POST_FILES'
) as $transvar['new'] = $transvar['old']) {
if (isset($$transvar['old']) and is_array($$transvar['old'])) {
$GLOBALS[$transvar['new']] = $$transvar['old'];
}
}
// Unset transvar, we do not need it anymore.
unset($transvar);
}

/*
function importVars()
Written by: Adam Royle [EMAIL PROTECTED]
Imports vars from $arrVarType into the global scope.
Example: importVars($_GET, 'page,ID,num');
Will create the three variables $page, $ID and $num, and will fill them 
with data from the querystring. If there is no data in the querystring, 
it will create a zero-length string.
*/
function importVars($arrVarType, $strVarList='')
{
if (!trim($strVarList)){
// import all variables from $arrVarType
foreach($arrVarType as $var = $value){
$GLOBALS[$var] = $value;
}
} else {
// only import variables in $strVarList
$arrVarList = explode(',',$strVarList);
foreach($arrVarList as $var){
$var = trim($var);
if (isset($arrVarType[$var])){
$GLOBALS[$var] = $arrVarType[$var];
} else {
$GLOBALS[$var] = '';
}
}
}
}


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] More On: Good Practice: Variables, Error Reporting and Security

2002-10-05 Thread Sascha Cunz 

Am Samstag, 5. Oktober 2002 20:44 schrieb Adam Royle:
 I very much appreciate the suggestions made by the people on this list,
 although for me, when developing, the less typing I have to do, the
 less errors I am bound to come across, and therefore the less debugging
 I must do. (Now, doesn't this seem sensible?)

Well, have you ever read a perl script? :-)
The shortest source is not the best in all cases. Consider, that there will be 
times, you must read the source again - well, the easier it is written (and 
structured), the easier you will see again how it works...

--Sascha


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] More On: Good Practice: Variables, Error Reporting and Security

2002-10-05 Thread Adam Royle 

What I mean is, by using functions to do the hard work for you, it is 
less common to make an obvious mistake. I have a couple of functions 
that I use in most of my scripts.

eg.

securityCheck(); // authenticates the user

dbConnect(); // connects to database with default parameters (in config 
file)

$sql = SELECT * FROM tblName;
$data = GetData($sql, VARIABLES); // grabs data from db and puts in 
global scope

Now if you compare the above code to something which does all that 
manually, then you'll be typing a heck of an amount. If you have to 
search through a hundred lines of code, it would be more difficult than 
searching through 4 lines of code, don't you think? A lot of errors 
people make are spelling errors.

Like so:

$ymVar = $_GET['myVar'];

or

$myVar = $HTTP_POST_VAR[myVar];

Now if you did this:

importVars($_POST, 'myVar,foo,bar');

It would be much easier to debug because you only have to look at one 
line, cause you know the function is working. If you don't see it in 
that one line, print_r($GLOBALS); might show you if the var is getting 
transferred, etc.

I know what you're saying about confusing code, where you are putting 
more than one statement in one line is difficult to debug, but thats 
different from targeting spelling errors.

Adam

On Sunday, October 6, 2002, at 07:57  AM, Sascha Cunz wrote:

 Am Samstag, 5. Oktober 2002 20:44 schrieb Adam Royle:
 I very much appreciate the suggestions made by the people on this 
 list,
 although for me, when developing, the less typing I have to do, the
 less errors I am bound to come across, and therefore the less 
 debugging
 I must do. (Now, doesn't this seem sensible?)

 Well, have you ever read a perl script? :-)
 The shortest source is not the best in all cases. Consider, that there 
 will be
 times, you must read the source again - well, the easier it is written 
 (and
 structured), the easier you will see again how it works...

 --Sascha




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php