开发者

run function if form fields are not null

Is it alright to post the isset password like this?

I think it should be if(isset($_POST['username']) && isset(md5($_POST['password']))开发者_JAVA百科) - since it posts it encrypted, but if I wrap md5 around the password w/i the conditional, it does not work properly.

if(isset($_POST['username']) && isset($_POST['password'])) {
 //run authentication
} else {
 //show form
}


Brad, yes it's ok. There is really no benefit to posting the password hashed (not encrypted). First, you have to use javascript to do that, and it's easily circumvented. Hashing of the submitted password should be done server side to compare with the stored hashed value.

Edit:

Plus, run the following and see what you get:

<?php echo md5(NULL);

Thus, md5 always returns a value.

On top of that try running the following:

<?php var_dump(isset(md5($_POST['password'])));

You'll see the following: Fatal error: Can't use function return value in write context

isset() can only be used with a variable.

Edit:

There is a difference between hashing and encryption. MD5 is a simple hash, one that isn't even cryptographically secure.

Yes, you should not submit passwords in plaintext to your server, but hashing them client side is the same thing. You should be using HTTPS for password form submissions, this is how you encrypt communications between your server and the client.


The whole purpose of

if(isset($_POST['username']) && isset($_POST['password'])) {

is to check if both POST parameters are set/available. There's no authentication involved, not even an assumption about the type of both elements (could be strings, arrays, ...). Only "is there such parameter in the request" and "can I access this element without raising a notice: undefined index".

No let's compare that to isset(md5($_POST['password'])) md5() takes a string, so md5($_POST['password']) makes two assumptions.
a) There is an element $_POST['password'], the very thing the "original" test checks.
b) (string)$_POST['password'] makes any sense, since whatever you pass to md5() is cast to string. If you pass an array the result is the same as for md5('Array');
Plus md5() always returns a string (the string representation of the hash for the input), so isset() is always true and doesn't make much sense there. (edit: would be always true, if isset() could be used with the return value of a function. But it can't, see comments)

bottom line; The "original" version serves a "well defined" purpose, the isset(md5(..)) version not so much ;-)


If the fields are in a form which is submitted, then those values will always be isset. What you probably want to check is whether or not they are empty. One simple way is to compare to an empty string, but that requires that you first check that the variable is set, otherwise, when the form hasn't been submitted, you'll get an "array key does not exist" warning. Thankfully, there's a handy method called empty() which checks whether a given variable has been set and whether it has a non-falsey value -- hence you usually want to check if something is not empty.

$x = "";
!empty($x);  // false
isset($x);   // true :(

// beware though:
$x = "0";
!empty($x);  // false

Think of it as a shorthand for this:

isset($x) && $x != false
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜