I'm collaborating on a project where the REST APIs basically break in development mode because it has a more include error reporting policy. Here's a typical line in this project:
public function someAction() {
// Returns a map of params => values sent with HTTP req
$params = $this->getParams();
// This key may not exist --+
// |
// v
$someField = $params['someField'] ?: 'default value';
$someField = $this->sanitizeInput($someField);
// ...
}
As a result, the JSON response in dev mode will often be littered with PHP: Notice: Undefined Index warnings, which will break the JSON output string.
My questions
- What exactly is the security risk (if any) in assuming that a variable has been initialized, particularly when pulling it from $_GET or $_POST?
- Would it be worth the trouble to go through and wrap every access to some assumed array key with
isset()
orarray_key_exists()
? - I've added
isset()
around individual keys that raise undef index warnings under certain actions throughout the app, but the code looks super bloated now...