code

[jimfog]

Does the code below checks if the user has filled in the fields of a form?

if (isset($_POST['username']))

No reason to put code related to the password field of the form-I think I made my point.

[boen_robot]

It checks if a user has filled in the "username" field on a form (which uses the "post" method...). It doesn't necessarily mean the password (or any other field) is filled as well.

[jimfog]

If the code above checks if the form fields have been filled then what exactly the code below does?

    function filled_out($post){  // test that each variable has a value  foreach ($post as $key => $value) {	 if ((!isset($key)) || ($value == '')) {	    return false;	 }  }  return true;}

Does the above code does the same thing with a different way?

[thescientist]

Did you read his response?

It checks if a user has filled in the "username" field on a form (which uses the "post" method...). It doesn't necessarily mean the password (or any other field) is filled as well.

If the code above checks if the form fields have been filled then what exactly the code below does?

 	function filled_out($post){  // test that each variable has a value  foreach ($post as $key => $value) {	 if ((!isset($key)) || ($value == '')) {		return false;	 }  }  return true;}

Does the above code does the same thing with a different way?

So like boen said, the first post doesn't check anything other than the 'username' key. So, the difference is your snippet in post 1 checks one POST member (username). The snippet in post 3 loops through the member of the argument $post and checks the $key/$value pairs against the condition of being isset and not an empty string, and returning accordingly. Edited August 30, 2012 by thescientist

[jimfog]

So they are doing the same thing-in other words.The difference being that the that the code in post 1 checks only the username while in post 3 checks all of the POST values. I am going to put it this way. What is better and why. using code of the kind:

if (isset username && password)

or making an iteration of the array as the function filled_out above? I can only thing that the iteration might be more practical when we are dealing with many form fields.

[thescientist]

it depends on the context of your application. For required fields you may want to check them conditionally different then other (non-required) fields.

[boen_robot]

Your later snippet checks

(!isset($key))

which is redundant - if you're within the foreach, you're looping over existing keys.That code is better as something like

function hasEmptyValues(array $arr) {    foreach ($arr as $value) {        if (empty($value)) {            return true;        }    }    return false;}

And as the name suggests, this only checks if there are empty fields in the submitted form (which is also what your snippet does).If a person (say, a hacker) tries to use an HTTP debugger, they can submit the form without setting all required fields (I mean, not even with empty values). Neither this function, or your snippet, check for that. You must explicitly specify somewhere the fields you want, and then use functions similar to the above to further verify their contents.Here's a function that allows you to give it an array to check, along with an array with the required fields:

function hasAllRequiredFields(array $arr, array $requiredFields) {    foreach ($requiredFields as $key) {        if (!isset($arr[$key])) {            return false;        }    }    return true;}

As you can see, it's an extension of your first one-liner.

[justsomeguy]

This line: if (isset($_POST['username'])) Only checks if the form contains a "username" field. It does not check if that field has a value or not, only if the form contains a field by that name that was submitted. The isset function checks if a variable is set, so that if statement is true if $_POST['username'] is set. It will be set if the form has a field with that name regardless of whether the user filled it out.

[jimfog]

This line: if (isset($_POST['username'])) Only checks if the form contains a "username" field. It does not check if that field has a value or not, only if the form contains a field by that name that was submitted. The isset function checks if a variable is set, so that if statement is true if $_POST['username'] is set. It will be set if the form has a field with that name regardless of whether the user filled it out.

So you are disagreeing with what has been said before-that isset(POST[username]) checks if the form fields have been filled?

[boen_robot]

So you are disagreeing with what has been said before-that isset(POST[username]) checks if the form fields have been filled?

Who said that? I didn't...

[thescientist]

So you are disagreeing with what has been said before-that isset(POST[username]) checks if the form fields have been filled?

how do you figure? He's just addressing the issue by explicitly explaining how isset works, and that it shouldn't be the only way to check if a form field has been filled, as seen in the filled out function you showed, which also checks the value.

[justsomeguy]

So you are disagreeing with what has been said before-that isset(POST[username]) checks if the form fields have been filled?

The isset function does one thing, it checks that variables have been set and are not null: http://www.php.net/manual/en/function.isset.php In the context of a form and the $_POST array, for most fields you're only checking if the field was submitted at all. Any field that is submitted will be set and not null, so isset will only tell you if the field was submitted at all. Null does not mean empty. For checkboxes specifically, you use isset to figure out if they checked the box. If a checkbox is not checked then the form does not submit it at all, so with forms you only use isset to determine if they checked a checkbox. Otherwise, it's only useful for determining if the form was submitted. There's an example of that in post 4 here: http://w3schools.invisionzone.com/index.php?showtopic=12509 The empty function does one additional check, it checks that variables are set, are not null, and have a value that is not empty. There's a list of values in the notes in the manual that it considers to be empty values: http://www.php.net/manual/en/function.empty.php

[jimfog]

So in essence, 2 checks must be done: One that the form was submitted(using isset...)and second that the form fields were not empty. Of course the first check must precede the second-I think. And another thing... You said isset checks if variables are not null. How come the fields of a form(html name attribute)are considered variables? I miss something here... Yes I miss, what I miss is the fact that the fields of the form, become part of the POST array-arrays are variables too of course

Edited August 31, 2012 by jimfog

[boen_robot]

If you use empty(), you don't need to use isset(). empty() would return false if the variable isn't set.If your definition of "empty" is different from what empty() checks for (e.g. if you accept the string "0" as not empty), then yes - you'd have to first check if the variable is set, and then check if it fits your custom definition of empty.

[jimfog]

So, you are saying that in case of a web form empty() will do the job-and that is that, In addition to the above I do not see the need to check if the form is submitted,you just go straight checking if the fields are empty or not and that is where it ends.

[justsomeguy]

So, you are saying that in case of a web form empty() will do the job-and that is that,

It depends what values you want to check for, check the manual to see the values that PHP considers to be empty.

[thescientist]

In addition to the above I do not see the need to check if the form is submitted,you just go straight checking if the fields are empty or not and thatis where it ends.

I disagree. Often times forms submit to themselves, typically for providing validation feedback. It is often practice to check to see if the form was submitted first, as the first point in the control logic for rendering the page. If the form was submitted, you can test for that and act accordingly, if it wasn't you can skip a whole bunch of form processing logic and just show the user the form. Edited August 31, 2012 by thescientist

[jimfog]

It depends what values you want to check for, check the manual to see the values that PHP considers to be empty.

Yes, I will see the manual-anyway the form is a form about username and password, nothing else to it, just these 2 fields.But since we are talking about strings empty() will be OK-I checked the manual.

I disagree. Often times forms submit to themselves, typically for providing validation feedback.

I did not quite understand that...

It is often practice to check to see if the form was submitted first, as the first point in the control logic for rendering the page. If the form was submitted, you can test for that and act accordingly, if it wasn't you can skip a whole bunch of form processing logic and just show the user the form.

I have in one page the form(HTML) and in another the logic(POST)-is in that enough? I mean that in order for the second page to be parsed, form SUBMISSION must have taken place... I believe the last sentence where you mention..."skip processing logic" mainly applies in cases where the page the form is, is also the rest of the logic: for example, in index.php is the form and the form action is also at index.php. In my case form action is a different page(index2.php for example). Edited August 31, 2012 by jimfog

[boen_robot]

Often times forms submit to themselves,

This means the exact same thing as:

for example, in index.php is the form and the form action is also at index.php.

So... the idea was that there is a point in checking if the field is submitted, especially if the form submits to itself (i.e. if the action is also the page with the form).But even disregarding that...

I mean that in order for the second page to be parsed, form SUBMISSION must have taken place...

That's just false.- A user may submit your form, and unless he's redirected away, he can copy the URL, and open up the page again, without resubmitting the form.- A hacker can use an HTTP debugger to send an HTTP request directly to the form's action, bypassing the form. At that point, he can submit arbitrary name/value pairs OR not submit any.

[jimfog]

So, concluding , a check MUST be done if the form was submittedWhich means code like the one below is wrong-from a logic point of view:

try{ if (!filled_out($_POST))	  {    throw new Exception(Go back -You did not filled the form');	   } 	    else { 	  	 // they have just tried logging inif(login($username, $passwd))// function to check the user in the db{$_SESSION['valid_user']=$username;   //code producing HTML here    

And another question.Do you think that it would better that form action should be in the same page the form is in or in a different one.

[jimfog]

If the code above checks if the form fields have been filled then what exactly the code below does?

 	function filled_out($post){  // test that each variable has a value  foreach ($post as $key => $value) {	 if ((!isset($key)) || ($value == '')) {		return false;	 }  }  return true;}

Does the above code does the same thing with a different way?

Strange...just realized that the above code checks both the key and the value of the POST array.Meaning...isset($_POST) just checks for the key. I should have noticed it earlier... such a crucial detail.

[thescientist]

Strange...just realized that the above code checks both the key and the value of the POST array.

I said that in post 4.

So like boen said, the first post doesn't check anything other than the 'username' key. So, the difference is your snippet in post 1 checks one POST member (username). The snippet in post 3 loops through the member of the argument $post and checks the $key/$value pairs against the condition of being isset and not an empty string, and returning accordingly.

and

isset($_POST)

is actually not checking any key, unless you tell it too.

[jimfog]

I said that in post 4.

Yes...your post, after reading it again carefully, helped me reachthe conclusion above...I just had not read it carefully in the beginning, but also... I tend to confuse what the index of an array is and what it's value.

[justsomeguy]

It may help you to understand the history of arrays. In C, for example, a variable is just a pointer to an address in memory. The value is stored in memory, and the variable contains the address in memory that stores the value. When you declare a variable in C you also tell it what type of variable it is. So if you declare a variable as an integer, and you're working on a 32-bit system, then declaring that variable will reserve 32 bits (4 bytes) in RAM and the address of that memory is stored with the variable. When you refer to the variable the computer gets the address that it points to and looks up that address to get the value of the variable. PHP abstracts a lot of that, it doesn't need to reserve space in memory and things like that. It uses another method, but that's how C does it. When you declare an array in C, you also declare the type of data that the array will hold and the length of it. So you could declare an array of integers with a length of 10, and it will reserve space for 10 integers in RAM. The key there is that it reserves that space in order, instead of maybe getting space for 3 integers in one part of memory, then 4 somewhere else, and the other 3 somewhere else still. So, a variable is just a pointer to a physical location in memory, like a house address is just a pointer to a particular physical house. Variables are often described using a mailbox analogy, in fact. So let's say you declare an array of 10 ints. Each int is 4 bytes, so you're reserving 40 bytes of contiguous space in RAM for the array. Let's just say the address that it starts at is 0x1000 to keep things simple. So the memory starting at 0x1000 has 40 bytes reserved, which will go from 0x1000 to 0x1028 (in decimal, that would be from 4096 to 4136). So you've got your 10 4-byte "boxes" in memory. Just like a normal variable points to an address in RAM, so does an array. If you refer to the array itself, you're referring to the address 0x1000 only. The array variable itself points to 0x1000. When you refer to elements in an array, the computer uses a "base" and "offset" to find the location in memory of that value. The base of this array is 0x1000, it's the location where the array starts. Since the array contains 4-byte values, then to get the address of the particular array element you're looking for you add the base address with the offset multiplied by the 4-bytes of space for each item. So, if you're referring to ar[6], the element with index 6, then the offset is 6 and the address of that value in memory is calculated like this: base + (size * offset)0x1000 + (4 * 6)0x1000 + (24)0x1000 + (0x18) = 0x1018 The address of ar[6] is 0x1018. So the index is the offset from the start of the array. This means that if you refer to ar[0], you're referring to this: 0x1000 + (4 * 0)0x1000 + (0) = 0x1000 When the offset is 0 you're referring to the start of the array itself. That is why array indexes start at 0 instead of 1. The index is how you tell it which value you're looking for. The value is what is stored in memory. Incidentally, in C there isn't any such thing as a string data type. There are integers, floating-point numbers, characters, etc. Instead of declaring a string in C, you declare an array of characters. C++ added strings as a first-class data type.

[jimfog]

VERY INTERESTING...I will read it again. Have you studied C.Science.