PHP $_POST[key] return value

Question

I came across a PHP question paper which provided a code sample associated with the functionality of a product cart. When I went through the code sample, I came across certain PHP if conditions which checks, if a variable to which a $_POST[key] value was assigned, is false. The following are the code samples associated with problem I am facing.

nicepage.php

$id=$_GET['previd'];
$SQL = "select * from pro where prId=".$id;
$runSQL = mysql_query($SQL) or die(mysql_error());
$details = mysql_fetch_array($runSQL);
echo "<p>Catalogue Item Number: ".$details['prId'];
echo "<p>". strtoupper($details['prName']);
echo "<p>".$details['prDescrip'];
echo "<p><img src=images/".$details['prPicName'].">";
echo "<p>£".$details['prPrice'];
echo "<p>".$details['prQuantity']." items for you to get!" ;
echo "<form method=post action=greatpage.php>" ;
echo "<p>Enter how many: ";
echo "<input type=text name=newqu size=5 maxlength=3>";
echo "<input type=submit value='Get them'>";
echo "<input type=hidden name=newid value=".$id.">";
echo "</form>" ;
echo "</center>";
echo "</body>";
echo "</html>";

greatpage.php

$theid=$_POST['newid'];
$thequ=$_POST['newqu'];
if (!$theid)
{
echo "<p>Nothing new is added, show the stuff from before";
}
else
{
if (!$thequ or $thequ==0)
{
echo "<p>Error!";
echo "<p><a href=nicepage.php>Enter correct value!</a>";
exit;
}
else
{
$theSQL="select prQuantity from pro where prId=".$theid;
$runtheSQL=mysql_query($theSQL) or die (mysql_error());
$info=mySQL_fetch_array($runtheSQL);
$ourqu=$info['prQuantity'];
if ($thequ > $ourqu)
{
echo "<p>Not good!";
echo "<p><a href=nicepage.php> Do it again!</a>";
exit;
}
else
{
echo "<p>Great, item added!";
$_SESSION['storage'][$theid]=$thequ;
}
}
}

The above code samples provide parts of the PHP scripts associated with the issue.

I am a relatively new PHP programmer, hence pardon me for any mistakes, I make.

I would like to learn why the $theid and $thequ are checked if they are equal to false rather than using a function like isset($_POST['key']) to check if $_POST global variables are set before assigning to the two PHP $theid and $thequ variables.

And in the above code sample, which situations may lead to the !$theid and !$thequ being true?

I would be extremely grateful to anyone who can solve this conundrum.

Answer 1

So let's break this down

if(!$theid)

This is a poor way to checking if the variable exists. You should do something more like if(isset($_POST['newid'])), which will definitively tell you the field was submitted

if (!$thequ or $thequ==0)

Again, we have the poor check to see if the value exists, but the second one is a sloppy way of seeing if the field was submitted empty. If you submit an empty field, it's value will be '', or an empty string. Since an empty string is falsey, you can check against anything PHP considers to be false. So '' == 0 would be true. I would at least use '' or empty() instead of just 0 (it makes for better readability).

Next up, your SQL is wide open to SQL injection.

Lastly, please don't use the mysql_ functions as they are deprecated and will soon be removed from PHP

Answer 2

if you use isset() it checks if the variable exists. so if you say

$id="";

the outcome will be TRUE because the variable exists. but is empty.

best way is;

if(empty($id)) {

//your code
} else {

//your code when NOT empty
}