1

In a recent question I posted I describe how I developed a site on my local server and everything was working fine. Then after deploying it live I was getting errors because of the use of undefined variables. Mainly due to situations like the following...

if($var!=""){...}

I know I should use PHP strict and fix all of the errors based on the responses I got on my last question.

Now I want to know... why? What vulnerabilities may be created by leaving such code? I want to be able to justify to others why the errors need to be fixed.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Philip Kirkbride
  • 21,381
  • 38
  • 125
  • 225
  • You'll find a lot of helpful reasons by going through similar questions/answers http://stackoverflow.com/search?q=%5Bphp%5D+strict+errors – Mike B Oct 06 '11 at 21:15
  • 1
    Using an undefined variable is an `E_NOTICE`, not `E_STRICT`, right? Strict messages are similar to notices, but tend to be more for things that will change in the future, or are more "nitpicky" than notices. – John Flatness Oct 06 '11 at 21:15

4 Answers4

7

The purpose of E_STRICT messages is:

to have PHP suggest changes to your code which will ensure the best interoperability and forward compatibility of your code.

Source: Error Handling Constants

salathe
  • 51,324
  • 12
  • 104
  • 132
1

In this case, it's because the behaviour won't be predictable.

If your variable is not defined, your condition could be true or wrong, randomly.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Imad Moqaddem
  • 1,453
  • 9
  • 11
  • 1
    Actually it's predictable. But coders are still supposed to define variables by giving them values. http://www.php.net/manual/en/language.variables.basics.php – OpenGG Oct 06 '11 at 21:20
0

Reminder isset function accept multiple variable while empty does not.

if(isset($var_1, $var_2) && !empty($var_1) && !empty($var_2)){
  // code
}
Tesla
  • 169
  • 1
  • 6
0
if (isset($var) and $var != "")

or:

if(strlen($var) > 0)
radeklos
  • 2,168
  • 21
  • 19