0

The default code that prevents access to debug front controller on production server is:

if (isset($_SERVER['HTTP_CLIENT_IP'])
    || isset($_SERVER['HTTP_X_FORWARDED_FOR'])
    || !(in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1')) || php_sapi_name() === 'cli-server')
) {
    header('HTTP/1.0 403 Forbidden');
    exit('You are not allowed to access this file. Check '.basename(__FILE__).' for more information.');
}

So the question is: Why would it be needed to supress warnings from @$_SERVER['REMOTE_ADDR']? The errors from other $_SERVER variables aren't supressed though.

Timofey
  • 823
  • 1
  • 8
  • 26
  • `Why would it be needed to suppress warnings from ?` answer is :- used so that warning will not show to the end-user if any occur. – Alive to die - Anant Jul 29 '15 at 13:31
  • Probably to suppress an undefined index notice, since if it's undefined, it's still going to evaluate to false. – Evadecaptcha Jul 29 '15 at 13:36
  • @RobertCathey so it's probably for prettifying the output. But what is the 'basic' rule when to use the @ operator? And what's wrong with showing that notice? – Timofey Jul 29 '15 at 13:43
  • The purpose is to suppress warning. Why and when to do this really is just opinion based. – Gerry Jul 29 '15 at 13:45
  • @Timofey I'm just speculating as to why it's there. Not saying it should or shouldn't be there. But it's like Gerry said. They wouldn't want to print that notice, because it's prettier. They are printing their own error, which will be echoed if the index is undefined. – Evadecaptcha Jul 29 '15 at 13:46
  • @RobertCathey I am just curious, because a lot of people say that it's bad to use '@' – Timofey Jul 29 '15 at 13:55
  • It's like @Gerry said. It's really just a matter of preference. If you know what you're doing when you use it, it's usually okay. I personally don't like to use them (although that's just because I don't like the way it looks in php code haha). But I don't see anything wrong with the way they are using it here. – Evadecaptcha Jul 29 '15 at 13:58
  • Alright, now I finally got it. Thank y'all! – Timofey Jul 29 '15 at 14:00

1 Answers1

1

First of all $_SERVER['REMOTE_ADDR'] could be empty (see this)

The errors are not suppressed from the others $_SERVER variables because are used inside the isset function. Using a variable (or accessing an element of an existing array) that is not set inside the isset function will not give an error or a warning since verifying if the variable is set is the role of the function itself.

Community
  • 1
  • 1
Vincenzo Petrucci
  • 843
  • 1
  • 8
  • 15