Php check for value. Checking for Variable Existence
I want to check if a variable exists. Now I am doing something like this:
Try: myVar except NameError: # Do something.
Are there other ways without exceptions?
2018-05-09 13:10
Answers:
To check for the existence of a local variable:
If "myVar" in locals(): # myVar exists.
To check if a global variable exists:
If "myVar" in globals(): # myVar exists.
To check if an object has an attribute:
If hasattr(obj, "attr_name"): # obj.attr_name exists.
2018-05-09 13:16
Using variables that have not been defined or set (implicitly or explicitly) is almost always bad Any as it indicates that the logic of the program has not been thought through properly and is likely to lead to unpredictable behavior.
The next trick, which is similar to yours, will ensure that the variable has some value before use:
Try: myVar except NameError: myVar = None # Now you"re free to use myVar without Python complaining.
However, I still don't think it is. a good idea- in my opinion you should refactor your code so that this situation doesn't occur.
2018-05-09 13:19
Using try/except- The best way check the existence of a variable. But there's almost certainly a better way to do what you're doing than setting/testing global variables.
For example, if you want to initialize a module level variable the first time some function is called, you are better off with code something like this:
My_variable = None def InitMyVariable(): global my_variable if my_variable is None: my_variable = ...
2018-05-09 13:27
for objects/modules, you can also
"var" in dir(obj)
For example,
>>> class Something(object): ... pass ... >>> c = Something() >>> c.a = 1 >>> "a" in dir(c) True >>> "b" in dir (c) False
2017-10-28 18:39
The easy way is to initialize it first myVar = None
Then later:
If myVar is not None: # Do something
2018-06-04 18:46
I'm assuming the test will be used in a function similar to user97370's answer. I don't like this answer because it pollutes the global namespace. One way to fix this is to use a class instead:
Class InitMyVariable(object): my_variable = None def __call__(self): if self.my_variable is None: self.my_variable = ...
I don't like it because it complicates the code and opens up questions like if this would validate the Singleton programming pattern? Luckily, Python allowed functions to have attributes for a while, which gives us this simple solution:
Def InitMyVariable(): if InitMyVariable.my_variable is None: InitMyVariable.my_variable = ... InitMyVariable.my_variable = None
2018-03-25 20:31
2018-05-09 13:12
A way that often works well for handling this kind of situation is to not explicitly check if the variable exists but just go ahead and wrap the first usage of the possibly non-existing variable in a try/except NameError.
You can check if the given variable exists (that is, it is initialized or not). The following function is used for this:
isset(variable);
If the variable in this moment does not exist (it was not assigned a value anywhere before, or it was removed by the function unset () ), then the function isset () returns false , in otherwise –true :
$x = 5;
if (isset($x))
echo ‘< BR >Variable $ x exists, ‘, “its value is $ x < BR >”;
The screen will display:
Variable $ x exists, its value is 5
It is important to remember that we cannot use an uninitialized variable in the program - this will generate a warning from the interpreter PHP .
To find out if a value is a variable empty , the function is used:
empty( variable);
If the value of the variable is zero ,“0”, NULL , empty line (“” ),false, the variable is not declared or is empty array , then this function returns true , otherwise - false .
To check type of variable, functions are used:
is_string(variable);
is _ int (variable);
is _ float (variable);
is _ null (variable);
is _ array (variable);
is _ numerical (variable); - if the variable is numeric ( integer , float ) or a string containing only numbers.
These functions return true if the variable is of the specified type.
Data output
Unformatted output
formatless the output of strings or values of variables is carried out by the function:
echo list of variables;
echo line;
where list of variables – names of output variables separated by commas.
If we are working with a web browser, then this function directs the output to the client side of the browser (to its window).
As already mentioned, if in a line enclosed in double quotes, there are variable names, then the values corresponding to them are displayed instead of these names. Moreover, if such a line contains tags HTML (descriptors enclosed in angle brackets), then the browser displays this HTML -code as it should when interpreted HTML -document:
$year = 2012;
$message = " Wish everyone happiness !”;
echo"
My
congratulations
!”;
echo"
Has come
$year
year
!
$message
”;
?>
The title of the level will be displayed on the screen. H 3 and the subsequent greeting, with the word “ happiness!" will be printed in bold italics:
Congratulations!
The year 2012 has arrived! I wish everyone happiness!
This is how you create dynamic websites.
Formatted output
Formatted output allows you to represent the displayed numbers in different number systems, and in the decimal system - in different forms ( formats ). It is similar to formatted output in Xi and is carried out by the functions:
printf (“format”, output list);
sprintf (“format”, output list);
The first function displays the formatted data in the browser window and returns their number.
The second function only formats the output data, but does not output it.
Format is a sequence of conversion descriptors for output values.
Transform Descriptor for each value looks like:
% PlaceholderAlignmentLength.PrecisionType
- Aggregate is the character that will be used to pad the conversion result to the given length (default - space ); if it is another character, then it is preceded by a single quote ( apostrophe ),
- alignment - by default - by right edge of the output field; if there is a minus ( - ), then by left ,
- Length – output field width - the number of character spaces allocated for the output of this value. If the output value contains fewer character spaces than the given value length , then the remaining space will be filled gaps or fill characters,
- Accuracy - the number of decimal places in the fractional part of the number,
- Type of – type of output value:
b –binary ,
With –symbol ,
d –whole in decimal number system,
e –real in exponential form (floating point),
f –real in fixed point form,
s –line ,
about –whole in octal number system,
x –whole in hexadecimal number system.
Example:
php
$ zarp _1 = 6543.21;
$ zarp _2 = 45321.67;
$ fam _1 = "Balaganov";
$ fam _2 = "Bender";
printf ("< H 1>Payroll h 1>");
printf("%".-12s%".10.2f rub.", $fam_1, $zarp_1);
echo "
";
printf("%".-12s%".10.2f rub.", $fam_2, $zarp_2);
echo "
";
?>
A point was chosen as a placeholder ( ‘. ) . Last names are left-aligned ( - ) in a field width 12 characters. Numbers are represented in fixed-point form in a width field 10 characters and with precision 2 decimal point, right justified.
null function(11)
I have (or not) a $_GET["myvar"] variable coming from my query string and I want to check if that variable exists and also if the value matches something inside my if statement:
What I do and think is not the best way to do it:
if(isset($_GET["myvar"]) && $_GET["myvar"] == "something") : do something
This is a simple case, but imagine having to compare many of those $myvar variables.
Answers
This is similar to the accepted answer, but uses in_array instead. I prefer to use empty() in this situation. I also suggest using the new string array declaration which is available in PHP 5.4.0+.
$allowed = ["something","nothing"]; if(!empty($_GET["myvar"]) && in_array($_GET["myvar"],$allowed))(..)
Here is a function to check multiple values at once.
$arrKeys = array_keys($_GET); $allowed = ["something","nothing"]; function checkGet($arrKeys,$allowed) ( foreach($arrKeys as $key) ( if(in_array($_GET[$key],$allowed)) ( $values[$key]; ) ) return $values; )
I use all my own useful function exst(), which automatically declares variables.
$element1 = exst($arr["key1"]); $val2 = exst($_POST["key2"], "novalue"); /** * Function exst() - Checks if the variable has been set * (copy/paste it in any place of your code) * * If the variable is set and not empty returns the variable (no transformation) * If the variable is not set or empty, returns the $default value * * @param mixed $var * @param mixed $default * * @return mixed */ function exst(& $var, $default = "") ( $t = "" ; if (!isset($var) || !$var) ( if (isset($default) && $default != "") $t = $default; ) else ( $t = $var; ) if (is_string ($t)) $t = trim($t); return $t; )
Well, you can get away with just if($_GET["myvar"] == "something") since that condition assumes the variable also exists. If it is not, the expression will also evaluate to false .
I think it's ok to do it in conditionals like above. Really no harm.
My question is, is there a way to do this without declaring the variable twice?
No, there is no way to do this correctly without doing two checks. I hate it too.
One way to get around this is to import all relevant GET variables at one central point into an array or object of a certain type (most MVC do this automatically) and set all the properties that are needed later. (Instead of access to query variables via code.)
If (isset($_GET["myvar"]) == "something")
Thanks to Mellowsoon and Pekka, I did some research here and came up with this:
- Check and declare each variable as null (if so) before use (as recommended):
* ok, it's simple but works great, you can start using the variable everywhere after this line
- Using an array for all cases:
* after that you can use your variables (var1, var2, var3 ... etc)
PS: A function receiving a JSON object should be better (or a simple delimited string to bang/explode);
Better approaches are welcome :)
UPDATE:
Use $_REQUEST instead of $_GET, that way you cover $_GET and $_POST variables.
Isset($_REQUEST[$key]) ? $_REQUEST[$key] =0:0;
The solution I found from playing is to do:
If($x=&$_GET["myvar"] == "something") ( // do stuff with $x )
As prompt, you can consider this approach:
Required = array("myvar" => "defaultValue1", "foo" => "value2", "bar" => "value3", "baz" => "value4"); $missing = array_diff($required, array_keys($_GET)); foreach($missing as $key => $default) ( $_GET[$key] = $default ; )
You set default values and set non-received parameters to default value :)
Unfortunately, this the only way to do this. But there are approaches to working with large arrays. For example, something like this:
$required = array("myvar", "foo", "bar", "baz"); $missing = array_diff($required, array_keys($_GET));
The $missing variable now contains a list of values that are required but not present in the $_GET array. You can use $missing array to display a message to the visitor.
Or you can use something like this:
$required = array("myvar", "foo", "bar", "baz"); $missing = array_diff($required, array_keys($_GET)); foreach($missing as $m) ( $_GET[$m] = null; )
Now every required element has a default value by default. Now you can use if($_GET["myvar"] == "something") without worrying about the key not being set.
Refresh
Another way to clean up the code would be to use a function that checks if the value is set.
Function getValue($key) ( if (!isset($_GET[$key])) ( return false; ) return $_GET[$key]; ) if (getValue("myvar") == "something") ( / /Do something)
why not create a function for that, convert the variable you want to check into a real variable, e.g.
Function _FX($name) ( if (isset($$name)) return $$name; else return null; )
then you do _FX("param") == "123" , just a thought
I have found a (much) better code to do this if you want to check anything in .
If [[ $1 = "" ]] then echo "$1 is blank" else echo "$1 is filled up" fi
Why all this? Everything in exists in Bash, but it's empty by default, so test -z and test -n can't help you.
If [ $(#1) = 0 ] then echo "$1 is blank" else echo "$1 is filled up" fi
The material is intended mainly for beginner web programmers.
Introduction.
I am often approached by clients who have self-written CMS or modules installed by novice web programmers who do not understand what is needed to protect data and often copy filtering functions without thinking about how they work and what exactly needs to be done with them.Here I will try to describe in as much detail as possible common mistakes when filtering data in PHP script and give simple tips how to properly filter data.
There are a lot of articles on the net about filtering data, but they are, as it should be, not complete and without detailed examples.
Debriefing.
Filtration. Mistake #1
For numeric variables, the following check is used:$number = $_GET["input_number"]; if (intval($number)) ( ... execute SQL query... )
Why does it lead to SQL injection? The point is that the user can specify in a variable input_number meaning:
1"+UNION+SELECT
In such cases, the check will be successfully passed, because the intval function gets the integer value of the variable, i.e. 1, but in the variable itself $number nothing has changed, so malicious code will be passed to the SQL query.
Correct filtering:
$number = intval($_GET["input_number"]); if ($number) ( ... execute SQL query... )
Of course, the condition can change, for example if you need to get only a certain range:
if ($number >= 32 AND $number<= 65)
If you are using checkboxes or multi-selects with numeric values, check this:
$checkbox_arr = array_map("intval", $_POST["checkbox"]);
array_map
I also meet filtering in the form:
$number = htmlspecialchars(intval($_GET["input_number"]));
htmlspecialchars
Or:
$number = mysql_escape_string(intval($_GET["input_number"]));
mysql_escape_string
Nothing but a smile can cause it :)
Filtration. Mistake #2.
For string variables, the following filtering is used:$input_text = addslashes($_GET["input_text"]);
The addslashes function escapes the spec. characters, but it does not take into account the database encoding and it is possible to bypass the filtering. I will not copy the text of the author who described this vulnerability and will simply give a link to Chris Shiflett (you can search for the translation in Runet).
Use mysql_escape_string or mysql_real_escape_string function, example:
$input_text = mysql_escape_string($_GET["input_text"]);
If you do not intend to enter html tags, then it is best to do the following filtering:
$input_text = strip_tags($_GET["input_text"]); $input_text = htmlspecialchars($input_text); $input_text = mysql_escape_string($input_text);
strip_tags - strips html tags.
htmlspecialchars - converts special. characters in the html entity.
This is how you protect yourself from XSS attacks, in addition to SQL injection.
If you need html tags, but only for displaying the source code, then it is enough to use:
$input_text = htmlspecialchars($_GET["input_text"]); $input_text = mysql_escape_string($input_text);
If it is important for you that the value of the variable is not empty, then use the trim function, for example:
$input_text = trim($_GET["input_text"]); $input_text = htmlspecialchars($input_text); $input_text = mysql_escape_string($input_text);
Filtration. Mistake #3.
It's about searching the database.To search by numbers, use the filtering described in the first error.
To search by text, use the filtering described in the second error, but with reservations.
In order to prevent the user from performing a logical error, you need to remove or escape the special. SQL characters.
Example without add. line processing:
$input_text = htmlspecialchars($_GET["input_text"]); // Search: "%" $input_text = mysql_escape_string($input_text);
As a result, we get a query like:
... WHERE text_row LIKE "%".$input_text."%" ... // WHERE text_row LIKE "%%%"
This will significantly increase the load on the base.
In my script, I use a function that removes characters I don't want from the search:
function strip_data($text) ( $quotes = array ("\x27", "\x22", "\x60", "\t", "\n", "\r", "*", "%", "<", ">", "?", "!"); $goodquotes = array ("-", "+", "#"); $repquotes = array ("\-", "\+", "\#"); $text = trim(strip_tags($text)); $text = str_replace($quotes, "", $text); $text = str_replace($goodquotes, $repquotes, $text); $text = ereg_replace(" +" , " ", $text); return $text; )
Of course, not all of the above symbols are dangerous, but in my case they are not needed, so I perform a search and replace.
An example of using filtering:
$input_text = strip_data($_GET["input_text"]); $input_text = htmlspecialchars($input_text); $input_text = mysql_escape_string($input_text);
I also advise you to make a limit on the number of characters in the search, at least not less than 3, because. if you have a large number of records in the database, then searching for 1-2 characters will significantly increase the load on the database.
Filtration. Mistake #4.
Variable values are not filtered $_COOKIE. Some people think that since this variable cannot be passed through the form, then this is a security guarantee.This variable is very easy to fake by any browser by editing the site's cookies.
For example, in one well-known CMS there was a check of the site template used:
if (@is_dir (MAIN_DIR . "/template/" . $_COOKIE["skin"]))( $config["skin"] = $_COOKIE["skin"]; ) $tpl->dir = MAIN_DIR . "/template/" . $config["skin"];
In this case, you can change the value of the variable $_COOKIE["skin"] and raise an error, as a result of which you will see the absolute path to the site folder.
If you use the value of cookies to save to the database, then use one of the above described filtrations, the same applies to the variable $_SERVER.
Filtration. Mistake #5.
Directive included register_globals. Be sure to turn it off if it's on.In some situations, it is possible to pass the value of a variable that should not have been passed, for example, if the site has groups, then for group 2 the $group variable should be empty or equal to 0, but it is enough to fake the form by adding the code:
Variable in PHP script $group will be equal to 5 if it was not declared with a default value in the script.
Filtration. Mistake #6.
Check downloaded files.Check for the following:
- File extension. It is advisable to disable the loading of files with extensions: php, php3, php4, php5, etc.
- Is the file uploaded to the server move_uploaded_file
- file size
Examination. Mistake #1.
I came across cases when for an AJAX request (for example: increasing reputation) a user name or ID was passed (to whom the reputation is increased), but PHP itself did not check for the existence of such a user.For example:
$user_id = intval($_REQUEST["user_id"]); ... INSERT INTO REPLOG SET uid = "($user_id)", plus = "1" ... ... UPDATE Users SET reputation = reputation+1 WHERE user_id = "($user_id)" ...
It turns out we create a record in the database, which is completely useless to us.
Examination. Mistake #2.
When performing various actions (adding, editing, deleting) with data, do not forget to check the user's rights to access this function and additional features (html usage tags or the ability to publish material without verification).For a long time I fixed a similar error in one forum module, when any user could edit the administration message.
Examination. Mistake #3.
When using multiple php files do a simple check.In file index.php(or in any other main file) write this line before including other php files:
define("READFILE", true);
At the beginning of other php files write:
if (! defined ("READFILE")) ( exit ("Error, wrong way to file.
Go to main."); }
This will restrict access to files.
Examination. Mistake #4.
Use hashes for users. This will help prevent a particular function from being called by XSS.An example of compiling a hash for users:
$secret_key = md5(strtolower("http://site.ru/" . $member["name"] . sha1($password) . date("Ymd"))); // $secret_key is our hash
Next, in all important forms, substitute the input with the value of the user's current hash:
During script execution, check:
if ($_POST["secret_key"] !== $secret_key) ( exit ("Error: secret_key!"); )
Examination. Mistake #5.
When outputting SQL errors, make a simple restriction on access to information. For example, set the password for the GET variable:if ($_GET["passsql"] == "password") ( ... SQL error output... ) else ( ... Just error information, no details... )
This will hide from the hacker information that can help him in hacking the site.
Examination. Mistake #5.
Try not to include files by getting file names from outside.For example:
if (isset($_GET["file_name"])) ( include $_GET["file_name"] .".php"; )
Use a switch
