Reset - unset - reassign - repeat



  •  While walking through the code of one of our websites I ran into this:

    $navig_content = array();
    unset($navig_content);
    include_once($_SERVER['DOCUMENT_ROOT'].'/en/elements/elem_'.$idNavig.'.php');
    

    the "included" file sets the $navig_content var (relying on the scope of variables)

    The developer tried to really "destroy" the variable



  •  It's PHP! Gargabe collection is the least of one's performance troubles, if any!



  • Let's see if I can explain their thinking...

    • When register_globals is enabled, if the include fails (not a "require"), you can end up with an unsanitised variable where the rest of the script expected the one from the included file. Therefore you unset the variable before the include, to make sure that your later scripts will just get an uninitialised variable, not the one injected by the HTTP request.
    • If you unset a variable that has not been defined, then you get a warning. That warning is displayed on the page if the display_errors directive is set low enough. Therefore you should define it as something first.

    Of course, the easiest "solution" to all of this (assuming you cannot touch the ini settings), would have been:

    $navig_content = null;
    include_once($SERVER['DOCUMENT_ROOT'].'/en/elements/elem'.$idNavig.'.php');

    Or best of all, make sure the include will not fail (you can check if file_exists first), and then do proper error handling if it doesn't exist.



  • @TarquinWJ said:

    Or best of all, make sure the include will not fail (you can check if file_exists first), and then do proper error handling if it doesn't exist.

    Or use require()...



  • Huh?

    Require just means you'll get FATAL instead of ERROR when file doesnt exist.



  • @Shinhan said:

    Huh?

    Require just means you'll get FATAL instead of ERROR when file doesnt exist.


    Try an Error instead of a Warning.



  • @Shinhan said:

    Huh?

    Require just means you'll get FATAL instead of ERROR when file doesn't exist.



    If required file is missing-- especially one that seems to be critical to the safety of the system-- then I would darn well consider that a FATAL.  What's better in response to www.example.com?navig_content=fuck_shit_up_string&idNavig=not_exist  

    [b]Can't find file. Continuing. Here's Shinhan's credit card number and preferred aphrodisiacs for his mom...[/b]

    OR

    [b]Required shit ain't there. Fuck off. I die.[/b]



  • @Lorne Kates said:

    www.example.com?navig_content=fuck_shit_up_string&idNavig=not_exist  
     

    @Lorne Kates said:

    Required shit ain't there. Fuck off. I die.
     

    I like your style



  • @Shinhan said:

    Huh?

    Require just means you'll get FATAL instead of ERROR when file doesnt exist.

    Which is what should happen when a file can't be found.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.