dongnong7524 2015-11-11 13:09
浏览 5
已采纳

未定义的索引 - 安全风险与性能与代码膨胀

I'm collaborating on a project where the REST APIs basically break in development mode because it has a more include error reporting policy. Here's a typical line in this project:

public function someAction() {
   // Returns a map of params => values sent with HTTP req
   $params = $this->getParams();

   // This key may not exist --+
   //                          |
   //                          v
   $someField = $params['someField'] ?: 'default value';
   $someField = $this->sanitizeInput($someField);

   // ...
}

As a result, the JSON response in dev mode will often be littered with PHP: Notice: Undefined Index warnings, which will break the JSON output string.

My questions

  • What exactly is the security risk (if any) in assuming that a variable has been initialized, particularly when pulling it from $_GET or $_POST?
  • Would it be worth the trouble to go through and wrap every access to some assumed array key with isset() or array_key_exists()?
  • I've added isset() around individual keys that raise undef index warnings under certain actions throughout the app, but the code looks super bloated now...
  • 写回答

2条回答 默认 最新

  • douqiang1851 2015-11-11 13:17
    关注

    The issue with ignoring errors like this is exactly what you have found - debuggings becomes a huge pain, and pottential real bugs get dismissed as "normal behaviour".

    However, as with any other time in programming, if you find yourself writting the same code over and over, you probably need to write an abstraction.

    In your case, you can add an additional method to the class, as well as getParams (which presumably just returns the contents of $_REQUEST), add a getParam() method:

    function getParam($key, $default=null)
{
    return isset($_REQUEST[$key])? $_REQUEST[$key] : $default;
}

    Then your calling code becomes:

    $someField = $this->getParam('someField', 'default value');

    EDIT you could also add the sanitation call into this method as well:

    function getParam($key, $default=null)
{
    return isset($_REQUEST[$key])? $this->sanitizeInput($_REQUEST[$key]) : $default;
}

    Reducing your calling code even more. Now you not only have proper error free code, but you have reduced your calling code from three lines:

    $params = $this->getParams();

// This key may not exist --+
//                          |
//                          v
$someField = $params['someField'] ?: 'default value';
$someField = $this->sanitizeInput($someField);

    To one:

    $someField = $this->getParam('someField', 'default value');
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 被蓝屏搞吐了,有偿求帮解答,Ai回复直接拉黑
  • ¥15 BP神经网络控制倒立摆
  • ¥20 要这个数学建模编程的代码 并且能完整允许出来结果 完整的过程和数据的结果
  • ¥15 html5+css和javascript有人可以帮吗?图片要怎么插入代码里面啊
  • ¥30 Unity接入微信SDK 无法开启摄像头
  • ¥20 有偿 写代码 要用特定的软件anaconda 里的jvpyter 用python3写
  • ¥20 cad图纸,chx-3六轴码垛机器人
  • ¥15 移动摄像头专网需要解vlan
  • ¥20 access多表提取相同字段数据并合并
  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角